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                       WEDNESDAY, MARCH 12, 2008

                                   U.S. Senate,    
          Subcommittee on Federal Financial Management,    
                Government Information, Federal Services,  
                                and International Security,
                            of the Committee on Homeland Security  
                                          and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:32 p.m., in 
Room SD-342, Dirksen Senate Office Building, Hon. Thomas R. 
Carper, Chairman of the Subcommittee, presiding.
    Present: Senators Carper, Coleman, and Coburn.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Welcome one and all. It is good to see you, 
and we thank you for making time in your schedules today to 
visit with us.
    I believe this hearing was originally scheduled for 
tomorrow, and we have asked you to come a day early, and we are 
grateful that you are able to fit us into your schedule.
    We get to do something tomorrow that we call in the Senate 
``Vote-a-Rama,'' and it is all day, all night that we vote. And 
we are working on the budget resolution this week, and from 
time to time, we stack votes. And we are going to stack a whole 
lot of votes. We did not vote Monday. We did not vote Tuesday. 
We did not vote today. We probably will not vote today. And, 
instead, we are going to just save it all until tomorrow. When 
we vote every 15 minutes tomorrow, all day long, it would be 
pretty hard to squeeze in a hearing. We would just get little 
snippets from the witnesses, and we would be back to vote, so 
this works out a lot better for us and hopefully for you, too.
    But I appreciate or apologize for any inconvenience that 
has come from this.
    I think we are going to be joined by Senator Coleman of 
Minnesota in a little bit.
    Senator Coburn is involved on the floor with the budget, 
and so he may or may not be able to join us, but he is 
certainly interested in this issue. He and I have talked about 
it any number of times, and I suspect that you will be 
receiving some questions from him if he does not come in person 
to ask questions. I am sure you will be hearing from him in the 
future.
    But our thanks to our witnesses for joining us today. This 
hearing marks what I hope will be really the beginning of our 
proactive efforts to secure one of our most threatened and 
important national resources, and that is our sensitive 
information, not just about us as individuals, as human beings, 
but our businesses and our governmental units, and so forth.
    Every day our government's computers experience thousands 
of attacks, led by individuals seeking to gain access, and in 
some cases, to taxpayer records. In other cases, to our medical 
records; in some cases to our Social Security numbers, to 
proprietary business information, and to military secrets, just 
to name a few.
    Our public expects that agencies holding this information, 
particularly their personal information, will take every 
precaution necessary to ensure that it is secured, and well 
protected.
    However, despite the progress report in the Office of 
Management and Budget's most recent report, I feel like we are 
still very much at risk.
    Our inability to secure Federal information networks and 
protect the information they contain leaves American citizens 
open to threats that involve identity theft. And I guess if we 
go around the room here, we could ask do you know who has been 
a victim of identity theft. And let me just ask the audience. 
Do you know somebody who has been a victim of identity theft? 
Raise your hand, if you have. That was 17 hands that went up.
    That is about a third of the hands of the people that are 
here.
    But not only do we have worries and concerns about our 
personal identity and identity theft, but the threat that we 
face even places our national security at risk.
    For example, according to a report released I believe last 
Monday by the Department of Defense, the U.S. Government and 
our allies around the world have come under attack in the past 
year by hackers from addresses that appear to originate from 
the Chinese government. Maybe we will have something to talk 
with them about at the Olympics. We can sort of--cocktail talk 
with the Chinese we will raise this as we go through the 
Olympics.
    But these hackers were able to compromise information 
systems at government agencies, our government agencies, at 
defense-related think tanks, at contractors and at financial 
institutions as well.
    Germany's domestic intelligence agency, the German Office 
for the Protection of the Constitution, has accused China of 
sponsoring these attacks almost daily in an attempt to 
intensively gather political, military, corporate, strategic, 
and scientific information in order to bridge their 
technological gaps as quickly as possible.
    Actually most of that last sentence that I gave or that I 
read was, I think, a quote from the Germans themselves and sort 
of pointing out what they think is going on here.
    The threat of a Nation state cyber attack is very real, 
too. Last year, in Estonia, an attack led by Russian 
nationalists was coordinated through online chat rooms and Web 
sites. This cyber war, if you will, as the newspapers called 
it, shut down Web sites of Estonian organizations, including 
the Estonian parliament, banks, ministries, newspapers, and 
broadcasters.
    But we do not have to look overseas to find threats to our 
information security. Sometimes we only have to look in our own 
backyard. Just last year, the Veterans Affairs Department had 
an external hard drive stolen, exposing sensitive personal 
information on close to, I think, two million of my fellow 
veterans. But the Veterans Affairs is not the only example. The 
Department of Defense, the Department of Transportation, the 
Department of Commerce, the Department of Health and Human 
Services, Homeland Security, Education, Agriculture, and the 
Department of State were all compromised by current or former 
employees. And I understand that in many cases, it is the 
former employees or former contractors that are doing us in in 
some of these instances.
    But these incidents are not simply unacceptable. They are 
more than unacceptable. I have a feeling that if a private 
sector company, like a bank or an insurance company, that is 
entrusted with sensitive data were as vulnerable as some of our 
Federal agencies seem to be, they would be out of business 
pretty quick.
    The Federal Information Security Act (FISMA), came out of a 
recognition a few years ago, I want to say about 2002, the 
recognition of the critical importance of protecting our 
information systems. Since then, agencies have made 
extraordinary progress in implementing crucial information 
security measures, and they should be acknowledged and 
complimented for their efforts. And we acknowledge those 
efforts, and we compliment them where they have occurred.
    Having said that, I am concerned that 5 years after the 
passage or enactment of FISMA, agencies may be falling into the 
trap of complacency and just checking boxes to show compliance 
with requirements written into a bill.
    So once again, I want to thank our witnesses today for 
joining us, for your preparation for your testimonies today, 
and we look forward to hearing how Congress, how we in the 
Legislative Branch of this government can help in protecting 
our sensitive information for domestic threats and from foreign 
threats as well.
    We are going to leave the record open for Senator Coburn 
and others on the Subcommittee who would like to submit opening 
statements.
    We have done a lot of research on each of the witnesses and 
come up with some interesting things about your past.
    But let me just say our first witness will be Hon. Karen 
Evans, the Administrator for E-Government and Information 
Technology for the Office of Management and Budget. You have 
testified before this Subcommittee on several occasions. We are 
grateful for that and for you being here today.
    Ms. Evans directs the activities of the Chief Information 
Officer Council and oversees the implementation of IT 
throughout the Federal Government, including responsibilities 
in the areas of capital planning and investment control, 
information security, privacy, and the preservation of 
government information.
    Prior to becoming Administrator, Ms. Evans was the Chief 
Information for the Department of Energy. What years were you 
there?
    Ms. Evans. I was there for a total of 20 months, so it was 
2002.
    Senator Carper. OK.
    Ms. Evans. From 2002.
    Senator Carper. All right. There, Ms. Evans was responsible 
for the design, implementation, and continuing successful 
operation of information technology programs and issues 
throughout the Department.
    In addition, Ms. Evans was Director of the Information 
Resources Management Division, the Office of Justice Programs 
at the U.S. Department of Justice, and there she was 
responsible for the management and successful operation of 
information technology programs.
    She holds a bachelors in chemistry and a Masters of 
Business Administration from a college located in the State 
where I was born, West Virginia--the University of West 
Virginia--a Mountaineer. I just had an emotional conversation 
with some folks earlier today about your football coach, who's 
headed off to Michigan. I went to Ohio State, so we had a good 
time on this conversation. But about your football coach--
headed off to Michigan, and they--it looks like West Virginia 
lost all their top five recruits, so people are not too happy.
    Our next witness is Greg Wilshusen, Director of Information 
Security Issues at the Government Accountability Office, where 
he leads information security-related studies and audits of the 
Federal Government.
    He has over 26 years of auditing, financial management, and 
information systems experience and is a certified public 
account, a certified internal auditor, and certified 
information systems auditor. That is a lot of certifieds.
    But he holds a B.S. degree in Business Administration and 
Accounting from the University of Missouri, and an M.S. in 
Information Management from George Washington University School 
of Engineering and Applied Sciences. Welcome.
    Our final witness is Tim Bennett, President of the Cyber 
Security Industry Alliance. Mr. Bennett has served as chief 
operating officer--I read your bio. I said to Dr. Coburn, I 
said this guy is going to be really old. I am pretty amazed 
that you are not. Either you are well preserved or not, but you 
have done a lot in your life, a lot of interesting stuff, too.
    As President of Cyber Security Industry Alliance, Mr. 
Bennett has served as chief operating officer, executive vice 
president, senior vice president, international, of the 
American Electronics Association for 7 years, where he directed 
all operations for 18 U.S. offices and 2,500 members among 
other responsibilities.
    In addition, Mr. Bennett has worked at the Office of the 
U.S. Trade Representative as the Deputy Assistant for 8 years, 
serving as a chief U.S. trade negotiator with Mexico, and one 
of the lead negotiators for the GATT Uruguay round of multi-
lateral trade negotiations. He is here to share with us why 
NAFTA was a good idea--no that will be testimony for another 
day.
    Earlier in his career, Mr. Bennett was an international 
economist for the U.S. Department of Labor's Bureau of Internal 
Labor Affairs and served on the U.S. negotiating team during 
the Tokyo round of multi-lateral GATT negotiations.
    So you are all welcome, and Ms. Evans, before you start, 
let me just say a special welcome to my friend, Senator Coburn, 
and to recognize him for any comments he might want to offer.
    Senator Coburn. I think you have covered it. Let us hear 
the testimony. Thank you.
    Senator Carper. All right. Thank you so much.
    Each of you, your full testimony will be made a part of the 
record, and without objection, and we will just have you take 
it away. Well, if you can hold it to 5, 6, or 7 minutes, that 
would be fine, but we are not going to run the clock very 
tightly. Thank you.
    Ms. Evans. Before I start, though, Mr. Chairman, I do want 
to thank you for the acknowledgement of being a die-hard 
Mountaineer fan, because I am. So, anyway.

   TESTIMONY OF HON. KAREN S. EVANS,\1\ ADMINISTRATOR FOR E-
     GOVERNMENT AND INFORMATION TECHNOLOGY, U.S. OFFICE OF 
                     MANAGEMENT AND BUDGET

    Ms. Evans. Good afternoon, and I appreciate the opportunity 
and thank you for inviting me to speak about the state of 
Federal information security.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Evans appears in the Appendix on 
page 49.
---------------------------------------------------------------------------
    Securing Federal information and information systems has 
been an Administration priority, and over the last several 
years, we have focused management attention through a risk-
based security framework.
    In my written testimony, we highlighted our results from 
the Annual Federal Information Security Management Act Report. 
However, I would like to briefly describe some of our 
initiatives intended to close the remaining performance gaps.
    In June 2006, OMB made recommendations to agencies to 
compensate for the lack of physical security controls when 
remotely accessing sensitive information. These recommendations 
were reiterated in OMB Memo 07-17. The recommended actions were 
to encrypt all sensitive data on mobile computers and devices, 
allow remote access only with two-factor authentication, use a 
time out function for remote access in mobile devices, and log 
and verify use of all computer readable data extracts from 
databases holding sensitive information.
    In order to assist agencies, we are leveraging our buying 
power. GSA and DOD established a Smart Buy agreement for 
products certified through the National Institute of Standards, 
FIPS 140-2 Crypto Module Validation Program.
    These certified products are used to encrypt data at rest, 
and we are currently using the management oversight of the 
President's Management Agenda Scorecard to ensure 
implementation and oversight of these recommendations.
    While strong security controls can reduce the number of 
incidences, experience shows some incidences and attacks cannot 
be prevented. Consequently, an effective detection and response 
capability is critical.
    In Fiscal Year 2007, 12,986 incidences were reported to the 
Department of Homeland Security Incident Response Center, which 
is more than twice the number that was reported in Fiscal Year 
2006.
    While the increasing number seems alarming, we are finding 
this increase to be partially attributable to improved incident 
identification and reporting.
    To further improve situational awareness and incident 
detection, we are working with agencies to reduce the overall 
number of external connections, including Internet points of 
presence. As agencies optimize their external connections, 
security controls to monitor threats will be deployed and 
correlated to create a government-wide perspective of our 
networks.
    Deployment of Einstein, an intrusion detection system, to 
all external access points will allow us to collect, analyze, 
and share aggregate computer security information across the 
Federal Government.
    Einstein will enhance current incident detection abilities, 
and will raise awareness of threats and vulnerabilities, 
allowing for corrective action in a timely manner.
    These initiatives described in my testimony today, in 
combination with other Administration initiatives, including 
IPV-6, Homeland Security Presidential Directive 12, Minimum 
Computer Communications Capabilities for Continuity of 
Government and Continuity of Operations Plans, the Federal 
Desktop Core Configuration, and the IT Infrastructure Line of 
Business, address our potential security gaps, help agencies 
optimize their information infrastructure, and facilitate 
appropriate network consolidation and configuration.
    In turn, agencies will be better able to manage their 
information infrastructure, allowing them to reduce risk to an 
acceptable level.
    In conclusion, there is evidence agencies are making 
progress in the area of information security and protection of 
sensitive information. We are improving the quality of 
information security processes across the Federal Government 
while concurrently improving our reported performance metrics 
and compliance with FISMA.
    I will be happy to take questions at the appropriate time.
    Senator Carper. Ms. Evans, thank you very much. Mr. 
Wilshusen.

 TESTIMONY OF GREGORY C. WILSHUSEN,\1\ DIRECTOR OF INFORMATION 
    TECHNOLOGY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Wilshusen. Mr. Chairman, Ranking Member Coburn, I am 
pleased to be here today to testify on FISMA and the state of 
federal information security.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Wilshusen appears in the Appendix 
on page 54.
---------------------------------------------------------------------------
    Rarely has the need for the Federal Government to implement 
effective controls over its information systems and information 
been more important.
    Virtually all Federal operations are supported by automated 
systems and electronic information, and agencies would find it 
difficult, if not impossible, to carry out their missions, and 
account for their resources without them.
    At the same time, Federal systems and critical 
infrastructures are increasingly being targeted for 
exploitation by a growing array of adversaries, including 
criminal groups, foreign nation states, hackers, terrorists, 
virus writers and disgruntled insiders.
    Thus, it is imperative that agencies safeguard these 
systems to protect against such risks as the loss or theft of 
resources, the disclosure or modification of sensitive 
information, including national security, law enforcement, 
proprietary business, and personally identifiable information, 
and the disruption of critical operations.
    Today, I will summarize agency progress in performing key 
information security control activities, the effectiveness of 
information security of Federal agencies, and opportunities to 
strengthen security.
    In Fiscal Year 2007, the Federal Government reported 
improved information security performance relative to key 
performance metrics established by OMB.
    For example, the percent of certified and accredited 
systems government-wide reportedly increased from 88 percent to 
92 percent. These gains continue historical trends that we 
reported on last year.
    Despite reported progress, 20 of 24 major Federal agencies 
continue to experience significant information security control 
deficiencies. Most agencies did not implement controls to 
sufficiently prevent, limit, or detect access to computer 
networks, systems, or information.
    Moreover, agencies did not always configure network devices 
to prevent unauthorized access and ensure system integrity; 
patch key servers and workstations in a timely manner; and 
maintain complete continuity of operations plans for key 
information systems.
    An underlying cause for these weaknesses is that agencies 
have not fully or effectively implemented the agency-wide 
information security programs required by FISMA.
    As a result, Federal systems and information are at 
increased risk of unauthorized access to and disclosure, 
modification, or destruction of sensitive information as well 
as the inadvertent or deliberate disruption of system 
operations and services.
    Such risks are illustrated in part by an increasing number 
of security incidents reported by Federal agencies. 
Nevertheless, opportunities exist to bolster Federal 
information security. Federal agencies can implement the 
hundreds of recommendations made by GAO and their IGs to 
resolve previously reported control deficiencies and 
information security program shortfalls.
    In addition, OMB and other Federal agencies have initiated 
several government-wide initiatives that are intended to 
improve security over Federal systems and information.
    For example, OMB has established an information systems 
line of business to share common processes and functions for 
managing information system security, and it has directed 
agencies to adopt the security configurations developed by 
NIST, DOD, and DHS for certain Windows operating systems.
    Consideration could also be given to enhancing policies and 
practices related to security control testing and evaluations 
of agencies' information security programs required by FISMA.
    In summary, although Federal agencies report performing key 
control activities on an increasing percentage of their 
systems, persistent weaknesses in agencies' information 
security continue to threaten the confidentiality, integrity, 
and availability of Federal systems and information.
    Until Federal agencies resolve their significant 
deficiencies and implement effective security programs, their 
systems and information will remain at undue and unnecessary 
risk.
    Mr. Chairman, this concludes my statement. I would be happy 
to answer your questions.
    Senator Carper. Mr. Wilshusen, thank you very much. Mr. 
Bennett, you are recognized. Thanks for joining us.

TESTIMONY OF TIM BENNETT,\1\ PRESIDENT, CYBER SECURITY INDUSTRY 
                        ALLIANCE (CSIA)

    Mr. Bennett. Thank you. Chairman Carper, Ranking Member 
Coburn, thank you for this opportunity to appear before the 
Subcommittee to discuss the Cyber Security Industry Alliance's 
thoughts on how to possibly improve FISMA. I know, Mr. 
Chairman, data security is an issue that you have been 
interested in and followed on a sustained basis, both in this 
Subcommittee and in the Banking Committee, and we appreciate 
that. I would also like to note, in light of prior comments, 
whether on the record or off the record, ``Go Bucks.''
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Bennett appears in the Appendix 
on page 92.
---------------------------------------------------------------------------
    This hearing is most timely and further bolsters current--
--
    Senator Carper. After I met Senator Coburn, I found out 
there was another OSU.
    Mr. Bennett. Yes.
    Senator Carper. There is another OSU in Oregon, and the guy 
who used to be President of Ohio State is now the President of 
Oregon State. He says he is sticking with the OSUs. He still 
has Oklahoma, though.
    Senator Coburn. No, we just got a new president.
    Senator Carper. All right. OK.
    Mr. Bennett. Well, this hearing is most timely and further 
bolsters current congressional consideration of the need for 
strengthening information security within the Federal 
Government. As we have painfully learned, Federal systems are 
frequently vulnerable to the now relentless onslaught of cyber 
attacks, and the oversight by the Congress is an important 
element in holding Federal agencies accountable for improved 
information security, as well as highlighting ongoing 
challenges and vulnerabilities.
    While today's hearing is not focused on a specific 
legislative proposal, we believe the 110th Congress has an 
important opportunity to enhance FISMA to improve the 
information security posture of Federal Government agencies. 
Even though the last few years have yielded some improvements 
in Federal information security, there are unacceptable 
vulnerabilities in Federal Government information systems that 
urgently need to be addressed. The Federal Government should be 
the leader in adopting effective information system practices 
based on understanding and addressing risks to sensitive 
information and not be the poster child for what can go wrong.
    The time for strengthening FISMA is now, given the 
escalating, large-scale information security intrusions and 
data losses that have occurred at our Federal agencies over the 
past several years. Unsurprisingly, the Information Technology 
Association of America's recent report based on its annual 
survey of Federal CIOs found for the second year in a row, that 
the broad area of IT security and cyber security remains the 
top challenge faced by Federal CIOs.
    CISA member company Symantec revealed in its 2007 Internet 
Security Threat Report that the government sector is the third 
most targeted sector for global cyber attacks and wholly 
responsible for 26 percent of all data breaches that may lead 
to identity theft.
    Mr. Chairman, you mentioned in your opening statement the 
series of attacks perpetrated by hackers operating through 
Chinese Internet server against our computer systems at several 
Federal agencies. Hackers were able to penetrate Federal 
systems and use rootkits, a form of software that allows 
hackers to mask their presence, to send information back out of 
the Federal agency systems.
    Federal agencies scored an average grade of C-minus on 
2007's information security report card. Last year's average 
grade was a very small improvement over 2006 when the agencies 
scored an average of D-plus. These are barely passing grades.
    Some argue that FISMA does not adequately measure 
information security. A high FISMA grade does not mean the 
agency is secure, or vice versa. That is because FISMA grades 
reflect compliance with mandated processes. They do not, in my 
view, measure how much these processes have actually increased 
information security. In particular, the selection of 
information security controls is subjective and, thus, not 
consistent across Federal agencies.
    Agencies determine on their own what level of risk is 
acceptable for a given system. They can then implement the 
corresponding controls, certify and accredit them, and thus be 
compliant and receive a high grade, regardless of the level of 
risk they have deemed acceptable.
    There were encouraging signs of progress in the 2007 
report, but we continue to be concerned that many mission 
critical agencies like DOD and DHS are still lagging in their 
compliance. These and other agencies are lacking in 
implementing configuration plans, in performing annual tests of 
security controls, and are inconsistent in reporting incidents. 
The annual report card does, however, indicate that the Federal 
Government overall has made some improvements in the areas of 
developing configuration plans, employee security training, and 
certifying and accrediting systems.
    FISMA does not tell the whole story when it comes to 
agencies' information security practices. Nowhere is an 
agency's ability to detect and respond to intrusions measured 
in FISMA. In fact, a senior DHS official testified before the 
House Homeland Security Committee on February 28, 2008 that 
intrusion detection is inconsistent across the Federal 
Government.
    FISMA is a great baseline log, but clearly much needs to be 
done in this area. We need to incentivize strong information 
protection policies and pursue a goal of security rather than 
compliance.
    We need to ask ourselves if we can make FISMA better as new 
threats evolve. Certainly, we want to avoid a check-the-box 
mentality, and do not want FISMA to be reduced to a largely 
paperwork drill among departments and agencies, consuming an 
inordinate amount of resources for reporting progress while 
yielding few genuine security improvements.
    Unfortunately, in some cases, that is what it has become.
    With the benefit of 5 years' experience under FISMA and 
several insightful reports by GAO, it is now possible to 
identify possible improvements that can address those 
weaknesses in FISMA implementation that have now become 
apparent. With global attacks on data networks increasing at an 
alarming rate, in a more organized and sophisticated manner, 
and often originating from state-sponsored sources, there is 
precious little time to lose.
    CSIA believes that amending legislation is needed to give 
the weight and suasion of law to the eight improvements that we 
are recommending in our written testimony.
    In closing, I commend the Subcommittee for examining 
whether enough is being done to protect Federal IT and secure 
sensitive information systems, and asking how we can improve 
FISMA and Federal agency information security practices going 
forward.
    FISMA can be strengthened if we develop processes and 
metrics that truly measure information security and help guide 
investments in personnel, capabilities, and information 
security safeguards that can more effectively secure our 
complex Federal computing enterprises. We need to get beyond 
focusing only on compliance processes. We need to encourage 
risk-based approaches to information security. We need to 
embrace the public-private partnership that information 
security requires, and we need to take steps immediately that 
improve both the policy and the practice of information 
security. The overriding objective should be to move Federal 
agencies to act in a manner that equates strong information 
security practices with overall mission accomplishment. We all 
know what is at stake. Thank you.
    Senator Carper. Mr. Bennett, thank you very much. And 
Senator Coburn has another pressing engagement. He is going to 
have to slip out of here in a little bit, but I have asked him 
to lead off with questions. I am just happy you are here.

              OPENING STATEMENT OF SENATOR COBURN

    Senator Coburn. Thank you, Chairman. Let me thank each of 
you for what you do and for being here. Ms. Evans, I appreciate 
so much the work you do. How much of the work of FISMA is 
paperwork versus real security protection? And how much of a 
measurement of compliance is measurement of compliance of 
paperwork rather than security protection?
    Ms. Evans. Well, the way that I would prefer to answer the 
question is that it all depends on how the agency goes about 
doing the work. If the agency is going about doing the work 
because OMB is telling them they have to do it, then it is a 
paperwork exercise. If the agency is going about the work in 
order to achieve the goal, which is better information 
security, then it is measuring the information security of what 
is happening there at that Department.
    FISMA has put together a framework. The policy supporting 
it has put together a framework, but it really is about if you 
are going to do it just to comply with OMB and to comply with 
the annual reporting requirement, then it is purely a paperwork 
exercise at that agency.
    Senator Coburn. So it does not mean anything. If they are 
compliant with FISMA, it does not necessarily have a reflection 
of how compliant we are in terms of security, cyber security?
    Ms. Evans. Well, the way that I would say it is is that you 
need to use FISMA as an indicator. It is an indicator, just 
like any of the other types of metrics that we would collect; 
and that the other thing that FISMA has, which some of the 
other metrics that we do not have, is that the law itself put 
the independent evaluation in there, which allows the IGs to 
come in and measure the value or the quality of that process.
    So it is not just an agency reporting mechanism but it is 
also an evaluation of the quality of that process. So if you 
look at the information that when you start looking at it 
overall and then looking department by department, then you 
would be able to see this particular department is doing it, 
may be doing it as a compliance exercise or is not necessarily 
as mature.
    For example, we have picked certain areas where we have 
asked the IG to go in and evaluate the quality. One, which is 
controversial, is certification and accreditation.
    If an agency says I have a 100 percent of my systems 
certified and accredited, but the IG says that process is poor, 
then we need to go in and work with that agency because the 
agency is going about that process. We need to figure out is it 
just compliance or----
    Senator Coburn. Well, that is what I am trying to get to. 
How much of it is doing the paperwork, meeting the 
certification? The goal is secure networks.
    Ms. Evans. Sure.
    Senator Coburn. And so what do we need to do in terms of 
the reauthorization of this bill to make sure that everybody is 
working towards security, not compliance?
    Ms. Evans. Well, my view is that the bill itself is fine 
with the way that the framework is set up. I think some of the 
discussions of what we have talked about, the types of metrics 
that we are collecting or maybe some improvement in the 
guidance that comes from NIST to help agencies work through 
that process and be more definitive.
    For example, a good example where an agency can choose and 
they need to choose the risk, we got more specific with some of 
the policy memos as it related to personally identifiable 
information, where we worked specifically with NIST. NIST went 
through and did a checklist, a very specific checklist and 
pointed to very discrete portions of their guidance, which 
really helped agencies get through that instead of looking at a 
document this big and then trying to figure it out on their 
own.
    Senator Coburn. OK. So let us say we got an agency that is 
compliant that's not secure. What does OMB do?
    Ms. Evans. Well, what we would do is we would go through 
and see what that actually means, when you say they're 
compliant because----
    Senator Coburn. I am saying they filled out the paperwork. 
They are certifiable, but when the IG comes in to test to see 
if they are secure, they are not. What do you do?
    Ms. Evans. Well, then what we do is we use the authorities 
that we have, for example, all the investments go on the 
management watch list. The existing projects will also go on 
the high-risk list, because what we want to do is make sure 
that you are not spending more money to put out new investments 
on top of infrastructure that is not secure.
    Senator Coburn. OK.
    Ms. Evans. And that you do not have the proper controls in 
place that in order to ensure that you are monitoring then on a 
consistent basis and on the constant basis. So we would then 
work with the agency to make sure that there is a good 
remediation plan in place, looking at what are the weaknesses 
the IG has defined, and then work through that to make sure 
that they can then close that gap of what the IG has said is 
keeping them from having a good security program in place where 
they are constantly assessing the risk.
    Senator Coburn. OK. Let me ask this of Mr. Wilshusen. You 
said their compliance has gone from 88 to 92 percent. Mr. 
Bennett said when we measure performance, they have gone from 
D-plus to C-minus. We are measuring two different things, are 
we not?
    One is compliance, which does not necessarily mean 
security. And Mr. Bennett's performance measurement is about 
security, is that correct? Am I understanding that right?
    Mr. Wilshusen. Well, I would say that in terms of the 
compliance, many of the performance metrics that OMB has 
established for FISMA reporting, on which agencies are supposed 
to report on their compliance with the Act, they are, in fact, 
just identifying the number or the percentage of systems that 
meet a particular control activity.
    Senator Coburn. Right.
    Mr. Wilshusen. It does not reflect how well or how 
effective that control----
    Senator Coburn. Right.
    Mr. Wilshusen [continuing]. Activity is in many of the 
cases. And, as a result, you do have that dichotomy of agencies 
reporting significant improvements in terms of the number of 
systems and number of personnel performing control activities. 
Whereas the effectiveness of their security controls is still 
questionable.
    Senator Coburn. It could be going down?
    Mr. Wilshusen. It could be. One measure of that we look at 
is the 20 out of 24 of the CFO Act agencies that----
    Senator Coburn. Yes, I saw it.
    Mr. Wilshusen [continuing]. Identified significant or their 
IGs identified significant control deficiencies or material 
weaknesses as part of their financial statement audits, the 
difference being is that in those reviews, in those audits, the 
IGs are assessing the effectiveness of information system 
controls or the financial systems, not just merely compliance 
with particular control activities.
    Senator Coburn. OK. In your assessment, give me short 
answers because I am running out of time.
    Mr. Wilshusen. OK. Sorry.
    Senator Coburn. Yes, but I am out of time. They have been 
waiting on me 15 minutes.
    Mr. Wilshusen. I see.
    Senator Coburn. We have had almost a doubling of reported 
events. What percentage of that you think is increased 
reporting that were there anyway versus actually a worsening of 
a security situation--just a guess. I am not holding you to it. 
What do you think, Mr. Wilshusen?
    Mr. Wilshusen. I would say I do not know that answer 
specifically.
    Senator Coburn. Does anybody know that answer?
    Ms. Evans. Actually, we have the numbers based on what 
U.S.-CERT has given to us. The increased reporting based on our 
enhanced reporting requirements for personally identifiable 
information has increased. When you look at the report, it ends 
up that the actual number is about 348 actual incidences, when 
you start looking at unauthorized access, when you look at 
these numbers that are in the chart.
    So because the rest of the reporting comes from lost and 
stolen equipment, and so there is an increase in lost and 
stolen equipment based on the way that we clarified the 
reporting requirements. But that leads to other issues dealing 
with security, which is the focus of this, and so what we are 
able to do then is see based on the types of reporting that 
comes in what type of corrective actions we need to take 
government-wide.
    But to the question that you are asking about compliance 
and the metrics and this is one area where we do take a lot of 
feedback. We pick certification and accreditation because we 
believe that measures the lifecycle of what an agency is 
supposed to do from start to finish when they collect 
information and how they protect it. So if you do it right, 
that you are assessing the risk saying this kind of information 
I am having, this is the type of IT system I am going to use, 
these are the types of controls, these are what the users do, 
this is the residual risk, and the owner has to sign off and 
say I accept that.
    So that is why we picked that process. When you start 
pulling out D-minus, C-plus, 92 percent and all those, you 
still have to get to the quality, which is the independent 
evaluation of the IG. So that is why we look at that in 
conjunction with the two. The D-minus grade that you are 
talking about that the House has given us.
    Senator Coburn. Actually, it was C-minus. You are doing 
better than D-minus.
    Ms. Evans. We had a D-minus. We had a C, and I agree I 
would not accept that from my children. You can ask them.
    So that is why we have worked to put in more of these 
government-wide solutions that are getting to the root cause of 
the issue.
    Senator Coburn. So when IG comes or GAO come to look at 
this, do they actually test for security or do you test for 
compliance to the law? Which are you testing for?
    Mr. Wilshusen. Well, when we do our reviews, we test for 
security. We test the actual----
    Senator Coburn. So you are actually testing to see----
    Mr. Wilshusen [continuing]. Security.
    Senator Coburn [continuing]. If, in fact--you are trying to 
probe it and break it?
    Mr. Wilshusen. That is correct.
    Senator Coburn. And see if they can catch you?
    Mr. Wilshusen. That is exactly right.
    Senator Coburn. And so, on the basis of that, are we better 
off than we were a year ago?
    Mr. Wilshusen. I would say we are not better off than we 
were, say, a year ago.
    Senator Coburn. OK. That is a key answer.
    Mr. Wilshusen. In that we continue to find significant 
control deficiencies on the audits that we perform.
    Senator Coburn. Twenty out of 24?
    Mr. Wilshusen. And that would include those that the IGs 
have identified, too.
    Senator Coburn. All right.
    Mr. Wilshusen. But I could just--if I may just--and I know 
you have----
    Senator Coburn. OK.
    Mr. Wilshusen [continuing]. To leave. I have two comments 
based on what Ms. Evans mentioned.
    One is that most of the performance measures relate to 
strictly identifying whether control activity has been 
performed. There are a few instances where OMB asked the IG to 
comment on the quality of certain processes, but there are a 
number of other processes that are not asked or requested to 
comment on the quality of them, including, for example, 
security testing and evaluation of controls, which is a key 
critical control activity in which we often find during our 
audits where agencies' control activities or testing activities 
are insufficient because we identify a number of 
vulnerabilities that they do not on the same systems.
    Senator Coburn. OK.
    Mr. Wilshusen. In addition, the patch management, as well 
as the incident detection capabilities, are not necessarily 
assessed as part of the independent evaluation.
    There is also a concern about the consistency of the 
independent evaluations performed by the IGs across the 24 
agencies.
    Senator Coburn. In other words, some are tougher probes 
than others?
    Mr. Wilshusen. Yes, sir.
    Senator Coburn. OK. The last question, and I am going to 
leave and let you answer it and my staff will give it to me, 
because I just received a notice my contact is getting ready to 
leave.
    Do you think that the U.S.-CERT has captured data on all 
attacks or are they only on what is reported? And is there a 
difference? Mr. Bennett.
    Mr. Bennett. Only on what is reported.
    Senator Coburn. Yes, so we do not know?
    Mr. Bennett. That is correct.
    Senator Coburn. So basically, we are not to the point where 
we can really assess our security?
    Mr. Bennett. That is correct, and I am going to grab you 
real quick. On the OMB report released earlier this week about 
the doubling of the number of incidences reported, that does 
reflect improved reporting. But what we have seen--certainly in 
the private sector--is the number of attacks exploded in 2007.
    Senator Coburn. Yes.
    Mr. Bennett. The chart goes like this. So, there is no 
doubt----
    Senator Coburn. So some of it is real and some of it is 
not?
    Mr. Bennett. It is real, and the Federal Government would 
not be immune from that increased malicious activity.
    Senator Coburn. Thank you. Thank you, Mr. Chairman.
    Senator Carper. Let me sort of pick up where Dr. Coburn was 
leaving off. Why do you suppose we are seeing this explosion? 
You said in 2007 it just sort of took off. What is going on out 
there?
    Mr. Bennett. Well, I'll give you my take and also the 
others, and there are a lot of people in the audience behind me 
that are real experts on this.
    A number of things. One, we saw organized crime move into 
this activity in a more sustained, organized fashion, more 
sophistication. The amount of money made in cyber crime, 
according to FBI report, now far exceeds that made in the total 
international drug trade and the gap is increasing.
    It is easier to do. It is safer. It can be done from an 
offshore location. Chances of apprehension are substantially 
reduced. So we are seeing that.
    And a lot of it is coming from offshore locations hitting 
targets around the world, primarily the United States, but not 
just the United States.
    Senator Carper. Well, what are some other countries that 
are being victimized besides us?
    Mr. Bennett. Well, the Attorney General of Australia just 
made a public statement earlier this week that the government 
agencies of Australia have been attacked and when asked to name 
a country, he mentioned China. So, there are certainly other 
governments.
    You referred in your opening statement to Germany. Of 
course, the Estonian attack is noted. But there are also 
organized crime gangs in Russia, Romania, and Bulgaria. We have 
also heard Indonesia and Malaysia--so it is thriving, and it is 
profit-driven. It is a very entrepreneurial market now. And so 
it has gone away from random attacks, kiddy hacking, all these 
types of thing, to a very organized business activity. We have 
even seen evidence of going after certain databases, stealing 
certain personal information with the intent to hold it for a 
number of years. That reflects a long-term business plan.
    So we are seeing a rapid evolution in the type of activity.
    Mr. Wilshusen. And I would just like to add--and I would 
agree, too, with everything that Mr. Bennett mentioned--that 
there is probably better incident reporting on the part of the 
agencies. The May 2006, VA data theft, I think, was a Federal 
wake-up call on the importance of reporting incidents and 
reporting them promptly. And the increased emphasis on 
reporting that OMB has placed on the issue has also increased 
the number of incidents that are reported.
    In addition, I would like to add that the threats are 
evolving; the threats to Federal systems are evolving. They are 
becoming more targeted, and sophisticated. And with the 
prevalence of information security weaknesses and deficiencies 
within the Federal systems, it makes the likelihood of 
increased security incidents very possible; and the fact the 
Federal Government maintains and collects a lot of information 
that is very attractive to potential adversaries.
    Senator Carper. Ms. Evans.
    Ms. Evans. So what I would like to address is what you do 
when you have this information, and it is not so much making--
--
    Senator Carper. When you say what you do?
    Ms. Evans. What we do.
    Senator Carper. What is it you do?
    Ms. Evans. What we do when we have the----
    Senator Carper. Who is the you?
    Ms. Evans. The Federal Government, OMB, U.S.-CERT and how 
what we do with this stuff to get to the result of improved 
information security because that is really what we are trying 
to do. It is not so much--and I think this is the piece that we 
keep talking about here is you can enhance and you can insist 
on whether you have 100 percent reporting in here. Is the goal 
to get the 100 percent reporting or is the goal to be able to 
analyze the information that is coming in and fix what the 
systemic problem is?
    And I would argue that there is enough information. We may 
not, we are improving our reporting requirements, then using 
this information to go forward and put solutions in place to 
reduce risk.
    When you start looking at all of the things that my 
esteemed colleagues have talked about what is at the root of 
that problem? What are they exploiting? Why do I have material 
weaknesses? How do they get in? What are they doing?
    Nine times out of 10, this is a configuration management, 
patch management issue.
    Senator Carper. When you say configuration management patch 
management, just put that in English----
    Ms. Evans. OK.
    Senator Carper [continuing]. That even I can understand it.
    Ms. Evans. So what will happen is if I am running an 
operation, so, say, I am back at a department and I am running 
an operation. Depending on whether I have that federated across 
the department or whether it is being centrally managed, so 
that only one person controls what comes in and what goes out 
on a desktop, like how a desktop is set up.
    If you have allowed a thousand different types of 
configurations to flourish, because that stimulates a lot of 
creativity and innovation, that also increases your risk, 
because now you have to have the resources to manage a thousand 
different types of configurations. You have to have the 
resources to then look at a thousand different configurations 
and see what risks that come out on a daily basis that are 
related to that.
    If I manage one, can manage one more effectively, then I 
can manage a thousand. And so what happens is then when 
organized crime comes along or any of these other ones, think 
of it as your house. You have a burglar alarm system--everyone 
knows that when you first put up that first sign and they are 
driving down the road, and they see that your house is 
monitored, they pass you and go to the next one.
    Well, if everybody in your neighborhood has that sign up, 
the threshold has now gone up; right? So now the criminals are 
going to come by and start rattling doors.
    Senator Carper. What we did in our neighborhood, we went 
around the neighborhood, and we took out other people's signs.
    Ms. Evans. Well, there you go. [Laughter.]
    But that is how it works. And so configuration management 
is raising it up a level so then what they start doing is 
tapping around and that is what these mean, like scans and 
probes and things. They tap around to see if a door is open or 
if a window is open.
    If you have left the window open, and they will want to 
come into your house. So what we are trying to do in a very 
concerted way with what the Federal Desktop Core Configuration 
is lock down all the windows and doors; right? The sign is up, 
and then we are assessing the environment based on the risk. 
And then you can patch faster, if there is a vulnerability that 
comes out; right?
    So, say, somebody's sign fell down. You would have to put a 
patch back up. This allows us to do that faster because we know 
everybody is supposed to have the sign. One person is missing 
the sign. We need to go back and put that sign up for the 
person.
    That is what we are trying to do across the board as an 
entity.
    Senator Carper. Mr. Bennett, what is good or bad about the 
approach that Ms. Evans has just described for us?
    Mr. Bennett. Well, let me address that by saying this is an 
enormous problem. FISMA was a wise approach by the government, 
by the Congress to try and address it, and FISMA itself was in 
evolution in prior legislation.
    What OMB has tried to do is try to manage this enormous 
Federal Government information system, for which we do not even 
yet have a complete inventory. It is a tremendous challenge. 
They are taking the best approach, and they have been tweaking 
and evolving over the years and putting out memoranda to guide 
the agencies on how to improve as they learn, but what we are 
suggesting is based upon our experience in working with the 
Federal agencies is--and the GAO reports there is too much of a 
reliance upon the procedures and the processes and despite Ms. 
Evans saying that the primary issues are just configuration, 
there still remains a problem of addressing the issue that 
Senator Coburn was getting at--are we coming after compliance 
or are we coming after security?
    And what we are hearing is it is not coming after security, 
and in private conversations that I have had with the CIO 
offices of certain Federal agencies and in talking with them 
how is your FISMA compliance, enlighten me. They will say do 
you want the official answer or do you want the off the record 
answer. And just that response right there, I think underlines 
part of the problem that we are not getting at the primary goal 
of the mission of the agencies has to be aligned with 
protecting their information systems.
    The Federal Government is probably the largest collector of 
information in the world. This information has--lots of it has 
value. And a lot of it is personally identifiable information. 
That information needs to be protected, and that needs to be 
recognized by the most senior levels of the agencies. We feel 
there are deficiencies. It has been pointed out in GAO reports. 
We have recommendations, and we feel it is going to have to 
take legislation, not administrative action.
    Having been a Federal employee for 11\1/2\ years, I think a 
Federal agency, an employee responds more when something is in 
law rather than hearing from OMB or another agency that we are 
asking you to do such and such. So that is our bottom line on 
that.
    Mr. Wilshusen. May I please add a comment?
    Senator Carper. Mr. Wilshusen, sure. We have been joined by 
Senator Coleman. Welcome, this is our first panel. It is really 
quite a fascinating discussion so far. And we are happy that 
you are here, and, if you would like to ask questions of this 
panel, that would be great.
    And we will let them go for a couple more minutes, and then 
I will recognize you.
    Senator Coleman. Great. Thank you, Mr. Chairman. I may have 
one or two questions.
    Senator Carper. Good. Thanks for joining us.
    Mr. Wilshusen. OK. I would just like to add one thing that 
Ms. Evans mentioned was the Federal Desktop Core Configuration 
Initiative. We think that has a lot of promise.
    Senator Carper. Why do you say that? Why do you think it 
has a lot of promise?
    Mr. Wilshusen Because in our audits, many of the security 
vulnerabilities that we identify and are able to exploit are 
ones that exists due to insecure configurations of operating 
systems.
    And the Federal Desktop Core Configuration, for example, is 
coming up with relatively secure configurations of the Windows 
XP and Vista operating systems. By having these operating 
systems configured securely, particularly if we can get them 
right out of the box when they are acquired, it provides a 
greater opportunity to improve the security than is the usual 
case with operating systems--that come in in their least secure 
state and require the agency then to come in and implement 
security in the operating systems.
    So by having the ability to have these core configurations 
and through the leveraged power of the Federal procurement to 
have these configurations right out of the box will help 
strengthen security.
    Once it is installed, you still need to maintain that over 
time because the computing environment is not static. It is 
very dynamic, so there still needs to be effective monitoring 
mechanisms in place, but it is a benefit that will help reduce 
some of the vulnerabilities of that we often find.
    Senator Carper. All right. Well, it sounds like what we are 
up against here--and I want to go back to this scorecard you 
mentioned. D-plus to C-minus; modest improvement, but 
improvement. Whose scorecard was that?
    Ms. Evans. It is the House Government Reform.
    Mr. Bennett. It is the House Government Oversight and 
Reform Committee.
    Senator Carper. All right. Each one reflects an evaluation 
for a particular discrete year? Is that what?
    Ms. Evans. Yes, they rank it each year, and they release 
the methodology associated with that. It is based on--GAO also 
looks at it, and then what will happen is they will take the 
information from the agencies, and they will either plus or 
minus points based on certain methodology every year, and GAO 
works with the House side in order to come up with what that 
methodology should be.
    Senator Carper. And what years were covered, 2006 or 2007? 
Do you all know?
    Mr. Wilshusen. They have not done one for 2007 yet.
    Senator Carper. I see.
    Mr. Wilshusen. There have been computer report cards over 
the last several years beginning with, I think, it was 
Representative Horn.
    Ms. Evans. Right. It started with Representative Horn, so 
he did 2001 forward, because I remember that was my first 
hearing 6 weeks into the job and over at Energy.
    But it is discrete against the report, so it is another 
view of looking at this same report. So the plus ups or the 
discussions with the House side again is that scorecard really 
measuring security, or is it just measuring the compliance with 
the information that comes into FISMA. So it is the same 
debate. It is just another view of looking at it.
    Senator Carper. Yes. And we keep coming back to that issue. 
Are we measuring compliance or are we measuring security. I am 
reminded of my old job. Before Senator Coleman came here, he 
was a mayor of a big city in Minnesota. But I was governor, and 
we worked a lot on education reform, trying to spell out what 
students ought to know and be able to do in math, science, 
English, and social studies. We spelled out our academic 
standards in those subjects.
    And we began to measure student progress toward mastering 
those academic standards in math, science, English, and social 
studies. Up until that point, there had been no way to judge 
academic performance by how much money we spent per student or 
how--what kind of degrees the teachers had. We judged inputs 
and process more than we did outputs and outcomes.
    And this debate reminds me a little bit of what we went 
through in education.
    Do you all think we are doing a better job in terms of 
measuring outcomes as opposed to a process? Are we measuring 
the right stuff?
    Mr. Wilshusen. I would say as part of the FISMA reporting 
process that the metrics that OMB has established that we are 
not effectively measuring the effectiveness of security 
controls or the quality of the control processes because, for 
the most part, they are measuring just the performance of a 
control activity, not its effectiveness. And I think there 
could be some other measures that are appropriate to help show 
what the effectiveness is.
    OMB does ask the IGs to comment on the quality of certain 
processes, but there are other processes that could also be 
evaluated as related to its quality.
    Senator Carper. All right.
    Ms. Evans. So I would like to add to this that every year 
when we do the annual reporting requirements, we send out the 
updated draft, and we ask for different metrics, if people want 
to improve the metrics or change the metrics in order to get to 
some of the issues that we are talking about today.
    We send it to the IG community. We also send it to GAO, to 
enhance or add additional pieces. We have added additional 
areas dealing with privacy, so we are now measuring privacy in 
a government-wide capacity, and we have added those metrics.
    But some of the suggestions that have come in when we have 
looked at them, we have evaluated whether they have always been 
accepted or not, whether we are actually still getting to is 
that another output metric or is that really a performance 
metric.
    So another example, real quick example, that I would like 
to give is what we are trying to do is use this information to 
inform solutions that get us to that result.
    So one of the things that came in that we see, the increase 
in incident unauthorized access that we were previously talking 
about, that is an 85 percent increase and that is from lost or 
stolen equipment.
    That gets back to the additional guidance that we gave the 
agencies about encrypting data on devices that are mobile. And 
then what we turned around and did was put in a BPA, a 
government-wide BPA----
    Senator Carper. What is a BPA?
    Ms. Evans. It is a blanket purchase agreement----
    Senator Carper. Thank you.
    Ms. Evans [continuing]. Which allows agencies to use it so 
that they do not have to procure their own solutions and that 
everything is on that particular contracting vehicle so that 
they can then go, leverage our buying power, and have 
encryption tools then put in place.
    So we are using the data that comes in that may be output 
data to get to more solutions, more results, more performance 
types of activities instead of trying to really, since we have 
not gotten good metrics--we feel good metrics that measure 
performance and effectiveness to try to get to solutions that 
are really getting to the results, and we are using the data to 
inform those types of solutions that we are putting in place.
    Senator Carper. All right. Let me stop right there and 
recognize Senator Coleman. Glad that you are here. Thanks for 
joining us.

              OPENING STATEMENT OF SENATOR COLEMAN

    Senator Coleman. Pleasure to be here, Mr. Chairman, and 
thank you for the opportunity to participate in this 
discussion.
    Mr. Chairman, I have a more complete statement I would like 
entered into the record.
    Senator Carper. Without objection, it will be put in.
    [The prepared statement of Senator Coleman follows:]
             OPENING PREPARED STATEMENT OF SENATOR COLEMAN
    I want to begin by thanking Chairman Carper and Ranking Member 
Coburn for holding this hearing and for permitting me to attend as I am 
not a Member of this Subcommittee. As the number of cyber attacks on 
Federal Government networks continues to increase, it is important that 
we review agency compliance with the laws in place to prevent those 
attacks such as FISMA and if they need to be strengthened.
    One area of concern I have is what the Federal Government is doing 
to fulfill its responsibility in maintaining and protecting sensitive 
Personally Identifiable Information (PII) that Americans are required 
to provide for a wide array of reasons, including paying taxes, 
receiving medical and disability benefits, and obtaining retirement 
compensation. This PII includes names, addresses, Social Security 
numbers, biometric records, and other data that is linked or linkable 
to an individual. Identity theft and fraud are national problems that 
affect approximately 10 million Americans each year so it is critical 
the Federal Government take steps to ensure PII does not fall into the 
wrong hands.
    In the wake of the VA data breach in 2006, I asked GAO to conduct a 
government-wide review of current policies on the books to protect 
American's personal information held by government agencies. The 
findings released in this report are very troubling--seeming to 
indicate that agency after agency is failing to make securing citizens' 
personal information a high priority.
    As a result of this GAO Report, Senator Collins and I sent a letter 
to every Agency requesting in writing a timeline of when they will meet 
the recommendations put in place by the Office of Management and Budget 
(OMB) for increased cyber-security. I want to thank the VA who has 
responded and indicated they are compliant or have achieved significant 
milestones with the OMB memoranda. I also want to thank USAID who has 
responded and offered details for compliance. I look forward to 
receiving responses from other agencies as well so we can get an 
accurate picture of where things stand.
    The fact is the clock is ticking and we need to know when the 
agencies are going to have the protections in place to stop the 
numerous data breaches we have seen over the past few years. Our 
citizens deserve nothing less. The bottom line is the Federal 
Government has a responsibility to ensure the personal information it 
collects from its citizens is properly secured and protected. The 
sooner the Federal Government acts, the sooner Americans will be 
protected from the damaging consequences these breaches can have on 
their personal lives.

    Senator Coleman. In wake of the Veterans Affairs data 
breach in 2006, I had asked GAO to conduct a government-wide 
review of current policies on the books to protect America's 
personal information held by government agencies.
    And I think the findings here--Ms. Evans, I appreciate the 
work that has been done. The findings are troubling. It still 
seems to indicate that we are moving forward at the pace that 
we need to move forward.
    Senator Collins and I, as a result of the GAO report, sent 
a letter to every agency asking in writing and timeline of when 
they will meet recommendations put in place by OMB for 
increased cyber security, and I am not going to get into all 
the details of that. Certain agencies have done very well and 
responded, and others are still not there. And I think the 
clock is ticking, and we have to move forward.
    But my more complete statement will touch upon that. The 
question I have is about looking for solutions and just so I 
can tell two anecdotes, Mr. Chairman, before the question.
    One is in some of my dealings with IRS and other agencies 
what I have found consistently as folks come back and saying we 
cannot move quickly enough on the text because we do not have 
the capacity. We do not have the people, the skills to do the 
software, to do the kind of things that need to be done. I find 
that troubling. I tied that into a discussion that I had as a 
Member of Homeland Security and Governmental Affairs Committee 
and doing oversight of Hurricane Katrina. And a witness was the 
IG for one of the Inspector General--I think Homeland Security, 
and he was saying that we had all this food in the pipeline, 
but we did not know where it was. We did not have the technical 
capacity. And my question was literally well, why do you not 
call FEDEX or UPS--that the capacity is out there in the 
private side.
    And so my question is that so many of the things that we 
are discussing here are not unique to government--the 
challenges are not unique to government. The private sector 
faces similar challenges. In many instances, they may have 
greater capacity to come up with solutions than we do for 
whatever reason. And so my question is what degrees are 
departments and agencies partnering with the private sector? 
Are there vehicles passed to do that? And does the same hold 
true for a State and local government agencies?
    Ms. Evans. OK. So first, on State and local government 
agencies, they can work right off of the same solutions that we 
have. So when I talked about the encryption that we had in 
place and that blanket purchase agreement that we put in place, 
we use the authorities under the E-Government Act to extend 
that out to State and local governments beyond what is normally 
available to them under what they call Schedule 70, which are 
the IT schedules that are managed by the General Services 
Administration.
    So what happened in that particular case was all the tools 
that we identified that we worked with DOD--was key in this--
that is all extended out to State and local governments. They 
have exercised that. They have the same problems that we have 
done.
    As a matter of fact, the State person from New York who 
works on cyber security sent me a note before the hearing last 
week and 15 States have used that. They have had a savings of 
over $34 million using the encryption products that are 
available there.
    So we have done that so that they can learn from us on 
that.
    As far as public and private partnerships, the E-Government 
Act, all of our authorities currently now allow us to do that.
    And the Federal Desktop Core Configuration, what we were 
just talking about, is a prime example of public-private 
partnership. We went to Microsoft, building off of existing 
relationships that the Department of Defense had and the 
Department of Homeland Security and said OK, now Defense has 
done this. This is a best practice.
    We want to take this to the entire Federal Government. What 
is the impact of that? And they worked with us jointly. When we 
talk about a secure desktop configuration, that is 700 security 
configurations that are being set on the desktop.
    And what Microsoft is doing is supporting that through the 
regular distribution channels. So there is no impact to the 
market on this, other than the Federal Government improves from 
that. And the way that we have done it is in a very transparent 
way using NIST and so all of that is published. All that 
information is out on the NIST Web site. All of it is available 
for everyone, not just us--countries, anyone--can download that 
information and use the same secure configurations that we are 
and work with Microsoft through the same existing types of 
applications and contracts that they had to do it.
    Senator Coleman. Mr. Wilshusen, would you--and perhaps what 
I would add to that is are we--and I appreciate the fact that 
States and locals can kind of work off what we are developing. 
Are we confident that the systems that we are using are, in 
fact, the best practices that equal those practices that are 
being employed in the most high tech, fully funded private 
companies?
    Mr. Wilshusen. Well, I would say in terms of the IT 
contractor Federal Government partnership is that in most of 
the Federal agencies they do rely extensively on contractors to 
provide IT services and in many cases even information security 
services.
    And one of the key requirements for the Federal agencies, 
though, is to make sure and provide the appropriate oversight 
and monitoring of the activities of the contractors, to make 
sure that if they are operating systems is on the agency's 
behalf that those systems are also adequately protected.
    We did a review a couple of years ago in which we found 
that many of the agencies at that time had not developed 
policies and procedures for effectively monitoring the 
activities of the contractors to assure that they were 
implementing the security requirements under FISMA and the 
like.
    That probably does not answer your question.
    Senator Coleman. No, what you are telling me is even as we 
do with contracts, is we have to have some of the same concerns 
about access to data----
    Ms. Evans. Yes.
    Mr. Wilshusen. Absolutely.
    Senator Coleman [continuing]. And security. My question 
went to the concern that I have had in dealing with technology 
to see the Federal Government saying we are not using, always 
using, the best practice, not using the highest level of 
material that is available. And I just want to make sure as we 
tackle this area that we are not just kind of inventing the 
wheel--reinventing the wheel here, but if it has been invented 
and used somewhere else that we are able to absorb it and use 
it quickly.
    Well, I think the example that Ms. Evans provided with 
regard to the Federal Desktop Core Configuration is one of 
those instances where the Federal Government and Microsoft and 
its partners are taking a leading role in identifying basic 
security requirements that can be applied on a mass basis.
    Senator Coleman. Thank you, Mr. Chairman.
    Senator Carper. You bet. Those are really good questions. 
Are there not other companies or organizations that use outcome 
metrics to measure security? I think we touched on this, but 
let me just go back. Are there not? Can somebody respond to 
that?
    Mr. Wilshusen. We have not done a review of what private 
sector organizations have done in terms of conducting and 
identifying meaningful, useful performance outcome-based 
performance metrics. But that would certainly be something that 
we would be willing to do with you.
    Senator Carper. Are the policies that are in place set up 
to be responsible to the new emerging threats? This has to be 
tough, because there are more and more bad guys out there. They 
are not just hackers and young people looking for a thrill. 
They are governments, or the Chinese or others, Russian 
nationalists. They are folks that have criminal intent, and 
they are looking to hit the jackpot and taking advantage of 
these situations.
    In terms of the threats that we see, just give us some 
ideas. Has half of this activity, attempts to penetrate our 
system, is it coming from hackers? How much is coming from, 
like foreign nationals? How much might be coming from criminal 
organizations? Any sense for at least for our systems, the 
stuff that we are trying to protect?
    Ms. Evans. I would refer us back to the report itself, 
which categorizes the different types of incidences. So some of 
the specific examples that you are giving would fall under the 
category that we have under investigation. And that shows an 
increase from last year of 912 incidences to 4,000 incidences. 
And it can be that it is under investigation----
    Senator Carper. Sorry. Say those numbers again?
    Ms. Evans. Last year, we reported. So all the different 
categories that you just talked about would be in what we 
categorize in the report as under investigation. And so last 
year, for Fiscal Year 2006, we reported 912, and this year 
(2007) we were----
    Senator Carper. This year being 2007?
    Ms. Evans [continuing]. Reporting 4,056.
    Senator Carper. OK.
    Ms. Evans. Now several of those are related again to the 
increased reporting that we had because of the lost and stolen 
equipment, so it is under investigation because we involved law 
enforcement from that perspective.
    So a lot of what you are asking falls into that category, 
and I think that without getting into all the specifics of what 
you are saying is that the better category to look at is what 
is under investigation.
    Senator Carper. All right.
    Mr. Wilshusen. One other category potentially could be the 
unauthorized access that is reported to U.S.-CERT, too, because 
those are actual instances where an intruder or an unauthorized 
individual gain access to information that they did not have a 
right to.
    Senator Carper. OK. The State of Delaware is the home to a 
number of large financial institutions. Some of them are credit 
card operations, others do other kinds of financial services--
and some of the best in the world.
    I used to watch as MBNA, which was one of the largest 
credit card banks in the world and now is part of Bank of 
America, when I remember a dozen or so years ago, they started 
hiring people who had been in the FBI, folks who had been with 
top folks in the Armed Services, and I was struck by how they 
were really going after people with a law enforcement 
background.
    And what they were doing back in the last decade was 
beefing up their ability to protect their sensitive information 
from these kinds of threats. I did not realize it at the time, 
but eventually I did.
    What can we learn from them? This question has already been 
asked to an extent. But what can we learn from financial 
institutions? What did Willie Sutton used to say when they 
said, why do you rob banks? He said that is where the money is. 
And if I were a hacker and I had criminal intent and I was 
looking to find financial gain, I do not know that I would 
necessarily go after the government first. I might go after 
these financial institutions. But what can we learn from them? 
What are we learning from them? And just as the threat changes, 
the nature of the threat changes constantly, it sounds like, 
and we have to get better and better, I am sure the same is 
true for some of these financial institutions and others that 
they are trying to protect their information.
    All right. Mr. Bennett, anything you would like to offer?
    Mr. Bennett. Yes. Thank you. First, I think in the private 
sector you find that the approach to information security in 
most cases, certainly in the financial services sector, is a 
continuous approach. And that is something that I think the 
Federal agencies could learn; that you cannot just do a report 
once a year or periodically, but it is a continuous effort. 
There are thousands of attacks a day. DOD gets over a million 
probes a day. It takes constant monitoring. That then spins off 
to the issues of adequate resources and training, budget, and 
personnel.
    The second thing is in the private sector, there has been a 
convergence at the top levels, an awareness that the success of 
the entity, of the corporation, of the business is aligned with 
its information security practices. Its reputation, the 
intellectual property, the reputation of the company should 
there be a massive data breach, the profitability of the 
organization if the intellectual property has been stolen, its 
ability to do successful merger negotiations could be 
undermined if another party has been stealing their negotiating 
position before they even walk into that negotiating room, and 
there are stories of that.
    These all impact a company and can have an impact on the 
market and the future of that company immediately. So security 
is aligned with mission accomplishment, and I think that is an 
area that the Federal Government could learn from the Federal 
agencies.
    The most senior officials at our agencies need to 
understand that protecting their information systems and the 
information that they contain needs to be protected on an 
ongoing basis in the best possible risk-assessed fashion that 
fits within their budget.
    You cannot have a situation where Cabinet officers go to a 
meeting with foreign government and before they even show up, 
their counterpart on the other side of the table already has 
their briefing paper and their talking points or might even 
know the U.S. negotiating parameters.
    I would not be surprised if this has not already occurred.
    And then for the Cabinet officer to return and be stunned 
and be upset with his staff who leaked that. Well, it was not 
leaked. You had a foreign party that was in your data system 
before you even headed out to Dulles Airport.
    So we need the top levels to appreciate the critical 
importance to the economic security, national security of this 
country, and the importance of protecting their data systems.
    Senator Carper. All right. I want to talk about incentives. 
One of the things we like to do in the oversight work in this 
Subcommittee, and really on our full Committee, is to look not 
in order to change behavior or to get the kind of behavior we 
want from Federal agencies, not just to penalize them or to 
wrap them on the knuckles. We want to incentivize them to, 
which is a positive reinforcement of the good behavior that we 
see and we want others to emulate. But incentives can be a 
powerful motivator, I am sure we will all agree, for achieving 
goals. And without them, many times we are going to fall short 
of where we want to be.
    If information security is one of our top priorities and it 
clearly needs to be, what type of incentives can we provide to 
help agencies put in place the policies and the procedures that 
are needed to have more effective information security 
programs?
    Ms. Evans. Well, I will take the first shot at this, 
because it is actually following back up off of what my 
colleague, Mr. Bennett, has said, and that is having the agency 
head, and, in this case, from the OMB Director to the President 
of the United States involved in this, which we are. This has 
been an Administration priority that has been demonstrated 
through the National Cyber Security Strategy, through our 
investment in cyber security in the budget and having the 
resources, looking at workforce issues--all of the things that 
we have talked about. But one strong thing and one thing that 
the agencies respond to that Congress could do, which we 
believe we are doing, is the public accountability.
    And so through the President's management agenda, by giving 
something as simple as a red, yellow, and green, because we 
have focused a lot about the scorecard that Congress issues on 
cyber security; that means a lot to Federal agencies, the 
public acknowledgement that they are improving; that they are 
achieving the results. That is something that Congress can do 
and has done.
    What we have a tendency to focus on are the bad things of 
where an agency is not doing the things that they need to do. 
That makes better news. Those are better stories to put out 
there, not necessarily that this agency----
    Senator Carper. Are you suggesting that the media tends to 
report bad news? [Laughter.]
    Ms. Evans. Yes, sir. So what I am suggesting is what really 
drives a lot of public service and the reason why the folks are 
there in those agencies is to deliver that mission for the 
American people. They do not want to lose the information. They 
do not want to put citizens at risk.
    So when an agency is doing a really good job and a 
comprehensive job, the acknowledgement of that in a public 
forum to say they are doing a good job goes a long way, and is 
a huge incentive.
    Senator Carper. All right. Thank you. Mr. Bennett.
    Mr. Bennett. Yes. I think what we have learned in the 
private sector and I am sure translates to the public sector is 
that you are going to get the greatest return on security when 
there is individual accountability on security. It cannot just 
be agency-wide and such as the agency-wide grades that we have 
been talking about.
    So perhaps certain metrics or parameters have to be put in 
the individual performance appraisals, and if there is poor 
performance, certainly in the private sector, there would be 
the ultimate outcome of dismissal of employment, termination of 
employment. Whether that is possible under the Federal system, 
I do not know.
    But, that increased accountability has to be there.
    At the same time, good performance does have to be 
rewarded, both in public recognition, but also in monetary 
bonuses to the employees, bonus vacation days, things of that 
nature that I believe are permitted under the Federal system.
    That type of recognition is also good. There is also the 
budgetary authority; maybe an agency should be penalized if it 
is getting a D-minus or an F; whereas, but not the spending on 
security with the agency, and if they get good grades, set by 
certain parameters, then somehow in the budget process, either 
reallocation within an agency or in the next appropriation 
process, that agency should be rewarded with that money 
dedicated--I know earmarks are a problem--but dedicated to 
spending for improved cyber security. And then auditing--if you 
get a good grade, maybe you will not be audited as often. You 
come up with poor grades; we are going to start auditing you 
more often.
    Senator Carper. Senator Coleman.
    Senator Coleman. Mr. Chairman, I wanted to get to the 
second panel. But your very question, actually the area of--and 
I am not sure if I will have time----
    Senator Carper. Well, when we go to the second panel, we 
will let you ask your question.
    Senator Coleman. I appreciate this concept of a security 
line with the mission accomplished----
    Senator Carper. Yes.
    Senator Coleman [continuing]. That is really critical. 
Thanks.
    Senator Carper. Just one last question for this panel, and 
it is a workforce question. Ms. Evans, you said back in, I 
think it might have been December when we held a hearing. I 
think we were authorizing the E-Government Act--that you 
recognized that you did not have effective measures in place to 
fill the necessary workforce gaps in IT-related positions.
    And since then, has OMB created effective or more effective 
measures and is there a comprehensive plan that attempts to 
address some or all of these shortages?
    Ms. Evans. So we have recently released the workforce 
assessment, and what we have done is we have broken it out to 
identify the gaps, and then each and every agency now has a 
workforce plan. They have identified the target competency 
level within each of these areas; cyber security is one of 
them, and they have a plan that closes the gap. For example, in 
this area, what they are doing is they are measuring 
certifications and they are putting together a training program 
associated with that.
    What I am now looking at is OK so we have taken it to the 
next level. It is not just the number of people hired, but it 
is now certifications associated with cyber security. What we 
are now looking at through the cyber initiative is education 
overall so that we can look to make sure that the education 
programs and the certifications that these agencies are getting 
for their employees will be--and I am going to use the term 
harmonized--so that you know that if I get the education at one 
university, it is going to be the same education at the other 
university so that when I come into the workforce I have the 
same set of skills.
    And so that is a longer-term effort that we are working on 
now. But we are working with the National Science Foundation 
and few other of the programs that we have in place to 
harmonize that education process.
    Senator Carper. All right. Before we excuse this panel, 
just give us some good heartfelt advice for those of us in the 
Legislative Branch of what we can do to be a better partner in 
this effort. We have a lot at stake. It is a tough battle, a 
tough challenge that we face. It sounds like it is getting 
tougher, and we want to make sure that we are being supportive.
    Part of what we are doing is trying to play an oversight 
role. I think the House has been doing that as well. And it is 
important for us to do that, too.
    But it is not enough just to put a spotlight on the areas 
where we may have some disappointing performance, but it is 
important that we find ways that we can incentivize better 
behavior and also ways that we can be constructive.
    So in closing out, if you all would just share with us an 
idea or two, you might have on how we can be constructive and 
helpful.
    Mr. Bennett mentioned, for example, he mentioned 
legislative--some legislative work that we had to do.
    Mr. Bennett. Right.
    Senator Carper. And, feel free if you agree with that or 
disagree with that that would be helpful to hear, too. Mr. 
Bennett, do you want to go ahead?
    Mr. Bennett. Thank you, Mr. Chairman. Well, I think our 
approach would be--the overall problem of information security 
is enormous; is very difficult to get your arms around it. But 
there are incremental steps that can be taken and should be 
taken. With respect to protection of our Federal information 
systems, we have made our recommendations in our written 
testimony. We feel that they are all manageable. They are not 
by way of criticism of the men and women who are working on 
this within the Federal agencies, but instead we are saying 
based upon experience, this is a way now to take us forward 
based on the past 5 years experience and lock in and improve 
security to the extent we can.
    We believe the cyber crime bill that this chamber passed in 
November by unanimous consent now sitting with the House will 
help give increased authority and increased penalties for the 
U.S Department of Justice to use in fighting cyber crime. We 
believe that the next Congress is going to need to take on a 
broader data security bill that includes issues of data breach 
notification that both you, and Senator Coleman, have been 
extremely active on in this particular chamber and that we 
support--protecting personally identifiable information.
    We need to bring all entities that hold large amounts of 
information, our universities, which are one of the biggest 
targets of attack. Home users, government, businesses--they all 
need to bring their standards up such as the financial services 
sector has done with the PCI standards. We need to start 
bringing everybody's awareness up through public education, 
which is another component here, and also it is going to take 
legislation; otherwise, they will not do it.
    We need a broad data security and breach notification bill 
hopefully in the next Congress to bring the overall standard up 
against protection, because quite frankly, the bad guys are 
winning. They evolve extremely rapidly. We are now even seeing 
malicious code being tweaked on a daily basis in some cases to 
get around patching, so it is a leapfrog process. They have 
tremendous financial resources that a Federal agency cannot 
match. So we need to take whatever steps we can, but it is 
warfare. It is warfare against organized crime, individual 
hackers, and state-sponsored.
    Senator Carper. All right. Mr. Wilshusen, any parting 
advice for us on the legislative end?
    Mr. Wilshusen. Well, I would just say that there could be 
some opportunities to tweak FISMA to make it more strenuous and 
clear in certain areas in terms of certain requirements that 
need to be performed perhaps as it relates to the testing and 
evaluation security controls, some of the FISMA reporting 
requirements, as well as the annual independent evaluations 
performed by the IGs.
    Senator Carper. All right. Thank you. Ms. Evans.
    Ms. Evans. I would agree that maybe some clarification as 
agencies go forward, but I would caution against major changes 
to FISMA, only from the aspect of agencies understand it. Now 
whether we agree with whether it is producing the right result 
or not, the framework is a sound framework.
    And what my concern would be is to do a major change to it 
would then mean that we have to reinstitute policies, reeducate 
the agencies, when we are really trying to be focused on what 
the results are.
    I would encourage more of the types of activities that 
Senator Coleman and Senator Collins did following up on certain 
things, going back out to see if the solutions have actually 
been implemented, asking agencies to produce results of that 
and show, give evidence that they have actually implemented 
those solutions, and those types of things
    And that is where Congress can be very helpful in making 
sure, and that follow up is very powerful, because you are 
following up on policies and statutes that are in place to make 
sure the agencies are really putting those solutions in place.
    Senator Carper. All right. Ms. Evans, Mr. Wilshusen, and 
Mr. Bennett, thank you so much for being with us today, for 
your thoughts and your willingness. One of the questions I am 
going to come back to you, Mr. Bennett, you gave us, I think, 
in your written testimony a number of recommendations. And I 
would say to Ms. Evans and Mr. Wilshusen, one of the things 
that I am going to do is come back to you, each of you, and 
just ask you to evaluate the recommendations--which one do you 
agree with, which one would you modify, which ones do you 
disagree with, but that will be most helpful. All right. Thank 
you very much.
    Mr. Bennett. Thank you.
    Senator Carper. Welcome to the four members of our second 
panel. We are glad that you are here, and we thank you for 
joining us. I am going to take just a moment and introduce each 
of you, if I can and then we will call on you to give us your 
testimonies.
    We just start with Hon. Robert Howard, Assistant Secretary 
for Information and Technology. Mr. Howard serves as the 
Department's Chief Information Officer, advising the Secretary 
of Veterans Affairs on all matters pertaining to acquisition 
and management of IT systems.
    Prior to his nomination, he retired as a Major General from 
the U.s. Army in 1996, where he served for 33 years. How did 
you get your commission?
    Mr. Howard. ROTC, sir.
    Senator Carper. Me, too. Good for you. Where did you go to 
school?
    Mr. Howard. Northeastern University.
    Senator Carper. All right. And while on active duty, Mr. 
Howard served in a variety of command and staff assignments in 
the continental United States, Europe, and in Asia; two tours 
of duty in Vietnam--a part of the world where I spent some time 
myself. I think you and I must be about the same age.
    Our next witness is Susan Swart, Chief Information Officer 
at the Department of State. Ms. Swart is a member of the Senior 
Foreign Service for the rank of Minister of Counselor. What do 
people call you when they address you--Minister-Counselor 
Swart?
    Ms. Swart. No title.
    Senator Carper. All right. When I was governor, they 
addressed me as excellency. And how about mayor?
    Senator Coleman. Mayor.
    Senator Carper. All right. But Ms. Swart is a member of the 
Senior Foreign Service with the rank of Minister-Counselor and 
was recently appointed as the Chief Information Officer in 
February 2008. Congratulations.
    Ms. Swart. Thank you.
    Senator Carper. Prior to assuming her new position, she was 
the Deputy Chief Information Officer for Business Planning and 
Customer Service and the Chief Knowledge Officer from April 
2006. I like that--the customer service. That is good.
    Our third witness is Daren Ash, and Chief Information 
Officer and Deputy Executive Director for Information Services 
at the Nuclear Regulatory Commission. Mr. Ash has over 15 years 
of Federal service. How many years at the NRC?
    Mr. Ash. About 10 months.
    Senator Carper. All right. Prior to joining the NRC, Mr. 
Ash worked as the Department of Transportation's Associate 
Chief Information Officer for IT Investment Management, and for 
close to 2 years, he led DOT's information assurance and the 
security privacy and enterprise architecture, capital planning, 
and information resource management activities.
    The final witness is Phil Heneghan, Chief Information 
Security Officer and Chief Privacy Officer at the U.S. Agency 
for International Development. During the last 5 years, he has 
been responsible for managing the USAID Information Systems 
Security Program.
    Mr. Heneghan led the development of the FISMA program that 
improved the agency's FISMA grade from an ``F'' in 2003 to a 
grade of ``A-plus?''
    Mr. Heneghan. Yes, sir.
    Senator Carper. Were they grading on a curve? What do you 
think? No? [Laughter.]
    That is pretty amazing--in 2005, at least that was the 
grade appointed by the House Committee on Oversight and 
Government Reform.
    USAID has maintained the A-plus for its information 
security program for the past 3 years. Great fun.
    Mr. Howard, you are recognized first, and again use 5, 6, 
or 7 minutes for your statements and then we will ask some 
questions. All of your entire written statement will be 
admitted for the record.
    Mr. Howard. Thank you, sir.
    Senator Carper. Sure. Thank you. And let me just say thank 
you for your service in the Armed Forces of our country.
    Mr. Howard. And for yours, sir.
    Senator Carper. My pleasure.

   TESTIMONY OF THE HON. ROBERT HOWARD,\1\ CHIEF INFORMATION 
          OFFICER, U.S. DEPARTMENT OF VETERANS AFFAIRS

    Mr. Howard. Good afternoon, Chairman Carper, Senator 
Coleman. Thank you for your invitation to discuss the ability 
of the Department of Veterans Affairs to protect and secure 
sensitive data.
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    Information protection is a top priority within VA and is 
highlighted as one of the five principal priorities in the 
Fiscal Year 2006-11 VA Strategic Plan.
    As you are well aware, May 3, 2006 was the day of the theft 
which led to the temporary loss of personally identifiable 
information of up to 17.5 million veterans, some of their 
spouses and some active duty personnel.
    Although the follow-on investigation confirmed that 
information was never accessed, that day was a wake-up call, 
not only for VA, but for the entire Federal Government as well 
as the private sector.
    As a result of that incident, we began to improve our 
security posture and create the environment needed to better 
protect any sensitive information entrusted to us.
    Clearly, the centralization of information and technology 
within VA has had a positive impact regarding the protection of 
sensitive information. Within this new structure, we have 
established a separate organization, called Information 
Protection and Risk Management, that is dedicated to improving 
our overall data security posture.
    A new Deputy Assistant Secretary position has been 
established to lead this organization and help provide the 
important focus that is needed.
    I would like to take a few moments and just mention a few 
that are in the room with me today. This is a very important 
team we have. Several key leaders from this organization are, 
in fact, here. Adair Martinez is my Deputy Assistant Secretary 
for this organization. Jaren Doherty is our new Chief 
Information Security Officer----
    Senator Carper. Could I just ask you, as your names are 
mentioned, just raise your hand so we are able to put a face 
with name?
    Mr. Howard. Yes, sir.
    Senator Carper. Adair Martinez. OK. Thank you.
    Mr. Howard. Jaren Doherty is our new Chief Information 
Security Officer, which we have been seeking for 2 years. He is 
now on board. He oversees cyber security. Kathryn Maginnis is 
in charge of incident response and risk management. Sally 
Wallace leads our efforts in the area of privacy and records 
management. And Charlie Gephart is our Director of Field 
Security Operations, who has all the field security individuals 
throughout the organization.
    Andy Lopez has recently established our business--Office of 
Business Continuity. And in addition, there is Arnie Claudio, 
the Director of our Office of IT Oversight and Compliance, a 
very important capability as I will explain in a moment.
    Sir, as I mentioned, this is a very important team for VA 
because these individuals form the leadership core for 
information protection. They are all focused on the 
implementation of a wide variety of activities that are moving 
us to a much more secure posture than which currently exists in 
VA.
    One of the most important steps we have taken is to help 
create a robust information security environment, the 
development of a comprehensive action plan. We call that the 
Data Security-Assessment and Strengthening of Controls program.
    It focuses on three major areas: Managerial activities, for 
example, the establishment of policies and directive; technical 
activities--the example there would be better software tools, 
such as encrypted thumb drives; and operational activities, and 
examples there would be establishment of procedures to provide 
an enhanced employee training environment and overarching 
programs to enhance individual employees' awareness of their 
information security responsibilities.
    This particular program, which includes several hundred 
specific actions, is oriented on improving the position of the 
VA in the entire area of information protection.
    To date, we have had about 40 percent of the actions 
completed.
    One especially important action was the completion and 
publication of VA Handbook 6500 back in September 2007. This 
handbook describes the VA Information Security program, and it 
also includes the national rules of behavior, a document that 
employees must sign before they are given access to our 
computer systems and sensitive information.
    While we have made progress, there is still much to be 
done. With respect to FISMA, there are five problematic areas 
for VA: Annual testing and system inventory; the plan of action 
and milestone process; certification and accreditation of IT 
Systems; configuration management; and security awareness 
training. These are problem areas for us.
    We continue to make progress in each of these, and the 
actions to correct related deficiencies are all included in 
that comprehensive action plan that I just mentioned.
    Incident response in our program for oversight and 
compliance are two very important initiatives where we have 
made substantial progress. And these activities I believe are 
definitely making a difference throughout VA. But even with all 
we have accomplished, we still experience security and privacy 
incidents. We consider any data breach to be serious if veteran 
or employee sensitive personally identifiable information is at 
risk. Many of these incidents are the result of human error and 
carelessness, which is why it is so important to establish a 
culture and a strong environment of awareness and individual 
responsibility throughout the organization.
    In closing, we have a variety of aggressive programs in 
place that will ultimately help us achieve the Gold Standard in 
data security which, since the summer of 2006, has been a major 
goal of VA. Much more remains to be done, but I remain 
personally committed to working toward achieving this gold 
standard goal, and I can assure you that VA senior leaders are 
equally committed.
    Thank you for your time and attention today, and I am 
prepared to answer any questions you may have.
    Senator Carper. General Howard, thanks very much. Ms. 
Swart. Welcome.

TESTIMONY OF SUSAN SWART,\1\ CHIEF INFORMATION OFFICER, BUREAUM 
  OF INFORMATION RESOURES MANAGEMENT, U.S. DEPARTMENT OF STATE

    Ms. Swart. Good afternoon, Chairman Carper and Senator 
Coleman. I am pleased to have this opportunity to testify 
before the Subcommittee concerning the protection information 
and information technology. My statement will provide an 
overview of the Department of State's Information Security 
Program, followed by a few suggestions on enhancing FISMA.
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    The Department employs a defense in depth security strategy 
providing multiple levels of protection to address the global 
nature of our operations.
    Over our global unclassified network, we process weekly 
about 25 million e-mails and instant messages from more than 
50,000 employees and contractors at 100 domestic and 260 
overseas locations.
    Weekly we block 3.5 million SPAM e-mails, intercept 4,500 
viruses, and detect over a million external probes on our 
network. Cognizant of these risks, the Department leveraged 
it's experience handling classified information when we 
deployed Internet access across the enterprise and limited 
Internet access points.
    In a continuation of this theme, the Department has been 
actively involved with the trusted Internet connection effort. 
The Department employs network vulnerability scanning tools 
that provide systems administrators worldwide with daily 
validation reports. These reports include information on patch 
management, anti-virus updates, and security configuration 
compliance.
    The tools provide appropriate and timely risk management 
data to administrators who have the means to address issues at 
the local level.
    Now I would like to highlight some of the specific efforts 
that support the Department's defense in depth security 
strategy.
    To further FISMA's goal of providing better information 
security, the Department established a Deputy Assistant 
Secretary level Information Security Steering Committee 
representing a cross section of Department officials.
    The forum provides a high level opportunity to ensure that 
the principles of sound information security management are 
instilled upon all Department employees as they fulfill their 
roles regardless of geographic location.
    In 2003, the Department of State was cited by an 
independent financial auditor for having a fragmented 
information security program that allowed for vulnerabilities 
to arise in the areas of external and internal systems security 
controls. As a result, the Department's information security 
program was identified as a material weakness.
    Through the efforts of numerous Department officials, 
continuous and measurable progress was made in addressing the 
independent auditor's concerns, and in the span of 2 years, the 
material weakness was downgraded to a reportable condition and 
then a deficiency.
    Given our present progress, the matter is expected to be 
formally closed at the end of this fiscal year.
    We have also strengthened our certification and 
accreditation. In 2006, the Department restructured its process 
and allowed for appropriate ownership of certification and 
accreditation within the bureaus while providing centralized 
oversight and expertise.
    These changes have been cost effective and transparent. 
Specifically, certification and accreditation costs were 
reduced by more than 70 percent in the second half of Fiscal 
Year 2007 while maintaining a 100 percent of system certified 
and accredited.
    The Department has been an ardent supporter of the 
information systems security line of business. Presently, the 
Department of State and USAID information security awareness 
training is used by four other agencies totaling over 40,000 
government employees and contractors in addition to our own.
    The Department's accomplishments in the area of privacy 
include the development of a breach notification policy, 
procedures for a core response group in the event of a breach, 
reduction and elimination of the use or dissemination of Social 
Security numbers, and enhanced attention to privacy impact 
assessments in the certification and accreditation process.
    The Department has a process in place for encrypting all of 
its mobile computing devices. Department mobile users may only 
access the Department's unclassified network through a two-
factor authentication system.
    Reauthentication is required after 15 minutes of 
inactivity, which exceeds the standard.
    While the Department and the rest of the community has made 
great strides under FISMA, there is room for improvement.
    As GAO has noted, FISMA is structured in a manner where 
disparities in audit scope, methodology, and content exist. A 
possible FISMA enhancement is the development of a common 
Inspector General evaluation framework. Another enhancement is 
the addition of quantifiable standardized repeatable metrics 
that allow an agency to detect and react to cyber security 
threats and manage vulnerabilities.
    The Department has a variety of security service including 
continuous network monitoring, intrusion detection, technical 
countermeasures, threat analysis, and physical and technical 
security programs, none of which are completely reflected in 
the current FISMA metrics.
    Mr. Chairman, I want to conclude by reiterating the State 
Department's unyielding commitment to information security. I 
thank you and the Subcommittee Members for this opportunity to 
speak before you today and would be pleased to respond to any 
of your questions.
    Senator Carper. Ms. Swart, thank you very much for that 
testimony. And we will now turn to Mr. Ash. Welcome.

 TESTIMONY OF DARREN B. ASH,\1\ DEPUTY EXECUTIVE DIRECTOR FOR 
   INFORMATION SERVICES AND CHIEF INFORMATION OFFICER, U.S. 
                 NUCLEAR REGULATORY COMMISSION

    Mr. Ash. Thank you. Mr. Chairman, thank you for the 
opportunity to appear today to discuss the U.S. Nuclear 
Regulatory Commission's efforts to protect its information 
technology assets and sensitive information.
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    The NRC is very much aware of the magnitude of the computer 
security challenge and the importance of strengthening our 
defenses to meet it.
    While a computer security program has been in existence at 
the NRC since 1980, in November 2007, the agency established a 
new organization, the Computer Security Office, as the focal 
point for agency-wide efforts. In addition to addressing the 
core requirements of FISMA, the Computer Security Office works 
with other NRC offices on strategies to protect sensitive 
information.
    In September 2007, the NRC Inspector General identified two 
significant deficiencies: A lack of current certification and 
accreditation and a lack of annual contingency plan testing for 
most of the agency's systems. The NRC declared its Information 
Security Program as a material weakness.
    Over the succeeding months, the NRC has taken aggressive 
action to strengthen our Information Security Program across a 
broad range of activities. These include the following: 
Certifying and accrediting 12 systems since April 2007, 
representing 32 percent of the 37 major applications and 
general support systems. The NRC plans to certify and accredit 
10 additional systems by June 2008 and expects that all 
remaining systems will be certified and accredited in Fiscal 
Year 2009; consolidating systems within our inventory, and, 
where possible, modernizing legacy applications sooner; and 
requiring that tests of system contingency plans be conducted 
by the end of June 2008 as well as linking the requirement to 
Senior Executives' performance.
    The NRC also recognizes the importance of providing staff 
the information security training necessary to carry out their 
assigned duties effectively. Rapid technology changes make it 
necessary to constantly refresh the skills and expertise of 
employees to keep pace with these changes. To date, the NRC has 
provided comprehensive information security awareness and 
general security training to all employees.
    Despite the challenges, the NRC remains firmly committed to 
meeting the standards and requirements of FISMA. Nonetheless, I 
believe implementation improvements are needed. Compliance, as 
currently measured, does not permit an accurate view of the 
effectiveness of its implementation because metrics concentrate 
on development of plans, policies, and procedures, and the 
implementation of controls. These metrics assume that all 
controls are of equal weight and importance. In practice, this 
is not true. For instance, FISMA could be adjusted to include a 
requirement to report on agency controls to prevent data leaks. 
Furthermore, reporting should give greater weight to the 
implementation of controls that defend against high impact 
threats and that counter the most significant vulnerabilities.
    I believe that FISMA requirements are sufficiently 
comprehensive and flexible to permit an agency to balance 
compliance requirements against overall needs for security. 
However, overemphasis on the annual report card does not allow 
for a clear picture of the relative security posture of 
agencies. Implementing security that aims to simply satisfy 
reporting requirements will not necessarily lead to an 
effective Information Security Program.
    In summary, executive management at the highest levels--
Chairman Klein, the Commission, has taken responsibility for 
the security of NRC's information systems and FISMA compliance. 
The NRC is taking strong and deliberate steps to build a sound 
Information Security Program to address the security of NRC's 
information systems and correct FISMA compliance shortfalls. My 
goal is to provide an effective security program that weighs 
risk, openness, and cost as an institutionalized part of NRC 
business practices.
    Again, I thank you for the opportunity to comment on this 
important topic and I look forward to answering any questions 
that you may have.
    Senator Carper. Thank you, Mr. Ash. Mr. Heneghan. I am 
interested to hear how you guys got all those A-pluses.

  TESTIMONY OF PHILIP HENEGHAN,\1\ CHIEF INFORMATION SECURITY 
       OFFICER, U.S. AGENCY FOR INTERNATIONAL DEVELOPMENT

    Mr. Heneghan. Thank you, Chairman Carper and Members of the 
Subcommittee, for the opportunity to testify on USAID's 
information security program and our implementation of FISMA.
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    I would like to begin by describing USAID's mission and the 
unique information security challenges created by this mission. 
Then I would like to report on how our risk-based information 
security program has successfully implemented FISMA. I will 
also discuss how we use innovative techniques and technologies 
to measure and manage the risk to our information and systems.
    USAID's mission requires us to work in developing countries 
and work in close partnerships with many different PVOs, 
indigenous organizations, universities, American businesses, 
international agencies, other governments, and NGOs.
    USAID's Office of Foreign Disaster Assistance (OFDA) also 
responds to complex emergencies and disasters, such as the 
recent events in Bangladesh, Ethiopia, Kenya, and Sudan. This 
requires USAID to support different risk models for network 
operations and creates many challenges for implementing a 
worldwide information security program.
    Most of the USAID information technology activity occurs on 
AIDNET, which is a single worldwide network made up of 9,000 
interconnected workstations and 8,000 other network 
infrastructure devices. Approximately 3,000 of the workstations 
are here in Washington, with the remaining 6,000 workstations 
located in more than 70 countries around the world.
    AIDNET is constantly changing. We recently established a 
new site in Banda, Indonesia, moved 11 other mission locations, 
will soon set up another site in Pakistan, and are regularly 
changing the communication channels for all sites back to 
Washington.
    We need to understand, manage, and monitor these to our 
network so that we can identify any change in the risk we have 
accepted. Our risk-based program requires us to be continually 
aware of the changing structure of our network and our focus on 
measurement ensures we can.
    Our information security program uses a risk-based 
management approach to effectively implement appropriate 
operational, technical, and managerial controls. To support 
this approach, we lean heavily on technologies that automate 
the collection and reporting of security information and 
metrics.
    For instance, through technology we have automated our 
security awareness training with a USAID-developed program we 
call Tip of the Day. The Tip of the Day program provides a 
brief security lesson and prompts the user to answer a question 
about that lesson before the user logs into one of our 
networks. We have partnered with our colleagues at the 
Department of State to make this and other security training 
available to others in the Federal Government and are proud 
that this innovative program has been selected as a component 
of the Information System Security Line of Business.
    For the past 4 years, we have used a robust vulnerability 
management program that continually scans the 17,000 systems on 
our network to measure their security posture. This program 
ensures that each system is evaluated about 10 times a month.
    In 2006, we moved to the next level and implemented a risk 
modeling program that couples this vulnerability data with our 
network access rules to model our network and report any 
changes impacting the risks we have accepted.
    This virtual modeling occurs daily and provides a true 
picture of our exposure to identified threats. We have also 
centralized the management of our entire security 
infrastructure in Washington to collect and analyze security 
events and network metrics from hundreds of remote security 
systems around the world.
    As one of the six Einstein pilot agencies since 2006, we 
have exchanged situational awareness information that has 
benefited our agency and the wider Federal community.
    This was the beginning of a strong partnership with US-
CERT, including the GFIRST Program. GFIRST has provided a 
secure communications channel to the Federal community for us, 
and we are an active participant. Of course, these metrics and 
technologies would be useless if we did not engage the 
executives, managers, and system administrators responsible for 
individual systems and networks.
    This is an area where I believe we have implemented one of 
the foundational tenets of FISMA. For each system and network, 
we have identified the executive who owns the system, and, as a 
result, has responsibility for and is in the best position to 
make risk-based decisions regarding the system's security 
controls.
    Our experience has shown that if provided the right 
metrics, system owners apply the necessary resources to ensure 
that their systems remain at an appropriately secure level. Our 
responsibility is to provide those system owners with the 
metrics they need to make information security decisions based 
on risk.
    Towards the goal of keeping executives informed of their 
security posture, we produce monthly security reports on our 
systems and networks and provide them to over 100 executives 
throughout the agency.
    We deliver these metrics in a report card format so that 
our leadership team can readily understand and act upon the 
information. We have found that because our reports are 
accurate, consistently produced, and actionable, they are 
extremely effective and, as a result, USAID maintains a high 
level of security on all our systems.
    Our experience with FISMA has generally been very positive. 
We have adopted the risk management principles of the law, 
including the regulatory guidance, and have built a robust 
information security program.
    Protecting systems and information, though, is an ongoing 
effort. The threat is constantly changing, and attack 
methodologies are continually evolving.
    Therefore, we are always concerned about the threats we do 
not yet know about. However, by understanding our environment 
and our baseline through the use of technology and process, we 
are in a better position to identify deviations that may 
indicate a new threat. We can then reduce our risk exposure by 
implementing new operational, technical, or managerial 
controls.
    I appreciate the opportunity to appear before you today, 
and I look forward to any questions you may have.
    Senator Carper. All right. Thanks very much. Do I 
understand that you have gotten these A-pluses for 3 years in a 
row?
    Mr. Heneghan. Yes.
    Senator Carper. And the first report card that you got was 
a failing grade?
    Mr. Heneghan. Well, luckily for me, I started my job 1 week 
after we got an F.
    Senator Carper. One week after?
    Mr. Heneghan. Yes. I had nowhere to go but up.
    Senator Carper. Yes. And you have.
    Mr. Heneghan. And we got a C-minus the next year.
    Senator Carper. And then after that?
    Mr. Heneghan. We have stayed at an A-plus since then.
    Senator Carper. You already mentioned this, alluded to it, 
but just walk us though again--why do you think we have seen 
the original, initial improvement and then the ability to 
sustain performance at what most would say a very high level.
    How do you explain the success?
    Mr. Heneghan. I think agency senior management took 
security seriously. And by finding the executives who are 
responsible for the systems, I think that is the better way to 
do it. I guess prior to the time I was there, all of the system 
certification and accreditation happened within the CIO's 
office, and we moved that out to the owners of the systems--the 
CFO, for example. He is responsible for accrediting the system.
    Now the certification would happen by myself across the 
agency--so that I can accept for the agency reasonable risk, 
but not allow the CFO or someone else to have more risk on the 
agency.
    But giving them ownership has solved a lot of problems for 
us. That is the primary thing that we have done.
    Our awareness program makes everyone aware of security. The 
fact that every day everyone has to answer a question has 
created a climate of awareness on security.
    Senator Carper. Yes. Do other agencies come to USAID and 
say, what is your secret here? What are you all doing and how 
can we emulate this? Does that happen?
    Mr. Heneghan. Yes, that has, and a number of people----
    Senator Carper. But from whom? Anybody at this table?
    Mr. Heneghan. Yes. State and----
    Ms. Swart. Our Chief Information Security Officer, John 
Streuferd, used to be the Chief Information Security Officer at 
AID.
    Senator Carper. But did you steal him?
    Ms. Swart. Yes. And our security posture is much better.
    Senator Carper. Is that right?
    Senator Carper. So in the end it is about people?
    Ms. Swart. Yes.
    Senator Carper. Yes.
    Ms. Swart. Can I point him out since I mentioned him?
    Senator Carper. Sure. Thank you. All right.
    The agencies seem to be on the front lines in protecting 
our government's data. We have a responsibility, too, but the 
actual Executive Branch agencies are really on the front line, 
and I would like to get an agency's point of view on FISMA and 
how it has been implemented maybe for the last 5 years since it 
was enacted.
    And could each of you maybe just briefly summarize whether 
or not you feel FISMA has created reliable metrics to measure 
your agency's information security programs? And, if not, what 
kind of metrics or measurements would you like to see instead? 
General Howard.
    Mr. Howard. Yes, sir. I believe the metrics are fine, in 
FISMA . . . it is really a matter of discipline in following 
the instructions, getting full involvement from the leadership, 
as was mentioned a couple of times here at the table. The law 
itself is, I think, adequate. It is up to us now to deal with 
it and get it done, and that is where the problem is. It is not 
a problem with the guidance. The guidance is pretty clear. The 
problem is, as you well know, getting people behind it. It is a 
people issue, whether it is leaders or all the way down to the 
individual employees. I mean, that would be my opinion.
    Senator Carper. And how do we address that part of the 
problem?
    Mr. Howard. Sir, the agencies have to address it. In the 
VA, for example, we have an intense effort to try to turn 
around awareness in the sense of individual responsibility, and 
we are not there yet. There is no doubt about it. We got a long 
way to go.
    In the area of FISMA, as you well know, we have not done 
well. Last year, we got an incomplete, and we did not even get 
the thing in.
    This year, we at least completed all of the controls that 
were supposed to be done. That took some doing, but we got it 
done. We are heading up, but I can tell you right now, there is 
an awful lot of work remaining.
    Senator Carper. All right. Thank you. Ms. Swart.
    Ms. Swart. I think that FISMA could be improved by adding 
metrics that look at some of the things we are doing--scanning, 
network intrusion, anti-virus patching--that directly have an 
impact on our ability to thwart attacks, that would be an 
improvement.
    I think FISMA--it has been good because it has raised 
awareness. I mean, 5 years ago, you would not have an Assistant 
Secretary that would pay attention to system security, and now 
we have done what we call 90-day pushes to get some attention 
of system owners that work for those Assistant Secretaries. 
They are engaged in that activity. And they are personally 
following up. So, from an awareness point of view, across the 
agency it has been very successful. People are tuned into the 
importance of securing our systems, so in that respect, it is 
good.
    It would also be helpful to have a common yardstick for the 
IGs across the Federal Government to measure our performance. I 
think that would also give a better sense of how well agencies 
are doing compared to each other. You would get a better sense 
of whether the F that we had in 2006 is the same F that 
somebody else had in 2006.
    Senator Carper. All right. Mr. Ash, I saw you nodding your 
head at something Ms. Swart was saying. Tell us what that was 
about?
    Mr. Ash. It goes to the point that Ms. Swart talked about 
the IG. And is the F that the NRC has--that we have is it the 
same F that the State Department has.
    Is what the IG in their audit--how they assess State 
Department's compliance--is it the same approach that NRC's 
Inspector General took?
    I included it as part of my written testimony, but that 
gets back to the point of we need a consistent approach--it is 
not a matter of the law. But it is a matter of how the 
Inspectors General address an audit consistently across the 
Federal space.
    It is a good way--being able to have that commonsense of, 
is an F an F across the board? Is an A an A? Is USAID's A the 
same as another agency's?
    Senator Carper. Theirs is an A-plus.
    Mr. Ash. Oh, I am sorry, an A-plus.
    But going back to your other question I want to answer--
your question gets back to, for me, it is commonsense metrics. 
How effective are we in defending the perimeter, defending--
implementing controls? How effective are we in enforcing and 
actually applying rules of behavior, not just signing a rules 
of behavior form, but actually knowing that we are actually 
adhering to it?
    Those are the types of real time, real metrics that give me 
a better sense of how effective is it. It is not just how many 
certification and accreditations we have implemented, how 
effective our program process is, but again the people. Are the 
people educated? Do they understand why we are doing this? Do 
the executives understand this and are they really following 
through on the rules of behavior?
    Senator Carper. Are we measuring effectiveness now?
    Mr. Ash. I think in some aspects yes. Probably the one area 
that I have always been a firm believer in is what they call 
the plan of action and milestone process, where we identify 
risk, where we identify a vulnerability. An effective security 
program means that you are doing a good job identifying what 
those risks and vulnerabilities are, tracking them, documenting 
and tracking them and ultimately resolving them; again, 
addressing ultimately those risks and vulnerabilities, but 
having a legitimate, managed process to do that.
    Senator Carper. All right. Mr. Heneghan.
    Mr. Heneghan. The eight points in the FISMA law, I think, 
are effective. I do agree that better metrics to make sure, as 
Susan was saying, that you are aware of how many intrusions are 
happening to you; are your systems being patched. Do you have a 
good vulnerability management system. There is a lot of metrics 
associated with that, but I think OMB could ask for as part of 
the current FISMA reporting process, and I think those type of 
metrics would help get to the results that everyone here is 
looking for.
    Senator Carper. All right. Was there anything that folks on 
the first panel said that you just really resonated with you 
strongly, that you said, that is for sure? I really think that 
is a great point.
    Was there anything that you heard from the first panel that 
you said, I do not agree with that? Maybe a point or two from 
each of you on that. Mr. Ash, you want to go first?
    Mr. Ash. I think the one comment that resonated with me 
from a negative perspective was the comment that was made by 
the industry representative about the Inspectors General----
    Senator Carper. Which comment was that?
    Mr. Ash [continuing]. That if you are doing well, maybe you 
take a pass on having an audit the following year.
    I do not think that is a valid or an appropriate approach. 
I think the Inspectors General have a defined responsibility, 
and I think for me, for the NRC, it continues to identify--
having an annual audit will always give me an opportunity to 
identify weaknesses.
    Senator Carper. OK. All right. That might be something on 
the minus side. Anything on the plus side that you want to just 
underline and underscore for us?
    Mr. Ash. I agree with Ms. Evans' comment about FISMA 
getting away from paper, and for agencies that are doing well, 
it means that they have really taken it to heart. It is not 
just the paper-based process. It really is you are doing 
security for the right reasons. You are doing it for the 
agency, and you are doing it for the mission.
    Senator Carper. All right. Thank you. Ms. Swart.
    Ms. Swart. I think both of the gentlemen on the first panel 
commented again about the metrics and the standard yardstick, 
so I definitely agree with that.
    On the negative side, the comment that because of the way 
FISMA is viewed to be a paper exercise, which I do not think 
most agencies view it as, that leads to complacency about 
security. I do not think that is true.
    I think that, at least based on the experience in our 
agency, security is a very important activity, growing in 
visibility, and yes, there are improvements that we can make 
and better ways to measure it, but I do not think that agencies 
are complacent. It is too visible and becoming more visible, so 
I do not think that was an accurate statement.
    Senator Carper. All right. Thank you. Mr. Heneghan.
    Mr. Heneghan. This might have been a question, but I think 
that using technology that is available in the marketplace and 
bringing that to bear on our systems. We have done that for our 
risk modeling program, which is primarily only used by Banks, 
but we use our vulnerability management process, again, a 
commercial product. So I think using the commercial market--
because technology is changing so fast. They are keeping up 
with it, and we need to stay with them to keep up.
    Senator Carper. All right. Thank you. General Howard.
    Mr. Howard. I would like to comment on the incident report. 
Again, I think you were the one who asked why there are so many 
incidents in the VA, there is no question as to why there are--
we are reporting them with rigor.
    Incidents clearly existed before, but now we report all of 
them as matter of policy. Do not even think twice. If you think 
you have an incident, get it reported, because we have got one 
hour for the information to get to the US-CERT. So, when you 
operate that way, you are going to have a lot of incidents.
    Fortunately, most of them are minor, but, every once in a 
while, we have one that is rather serious, requiring an 
investigation or whatever.
    Every one of them, though, we pay attention to, even if it 
is only involving one veteran. We notify the individual. And if 
we believe his information may have been compromised, credit 
monitoring is offered.
    Senator Carper. I guess at the VA, as you all know, and let 
me just say there are some things that you do at the VA are 
terrific--the way you have harnessed information technology for 
the delivery of health care, something that we are emulating, 
trying to do in Delaware, statewide, is wonderful and as a 
veteran who appreciates that we are now able to save money, 
save lives, make employees, the agency employees, more 
productive. I think that is just great stuff.
    Mr. Howard. Sir, I am glad you mentioned that.
    Senator Carper. Yes.
    Mr. Howard. Could I make another comment on that?
    Senator Carper. Please. Yes.
    Mr. Howard. Because what you are talking about is a major 
challenge for us within VA and the whole area of information 
protection.
    It is a balance issue. Let me give you a good example--the 
Standard Desktop Configuration that was mentioned earlier. We 
are now going through that in the VA--we are the second largest 
organization--240,000 people, desktop computers and laptops all 
over the place.
    When we first started, we had 18,000 separate applications 
that we had to work through. In some of these, if you apply the 
configuration controls, you put them out of business. I will 
give you a specific example--blind rehabilitation was a small 
computer program that was put together some years back. We will 
solve the problem, but you cannot automatically introduce some 
of these controls without testing them and being very careful 
in not shutting down some aspects of the business--a doctor 
trying to care for a veteran.
    That is a very real problem in the VA, to strike that 
balance and get it right. We know what we need to do, but we 
cannot shut the business down at the same time. And we do not 
have time. We know we have to keep moving as rapidly as we can.
    Senator Carper. General Howard, you have been very frank 
and candid in saying that we do a much better job of 
identifying and reporting, which is commendable, but you said 
we have got a long way to go before where we need to be.
    Do you all take advantage of an agency like USAID and just 
reach out to them and say well, how did you do it, and what can 
we learn from them?
    Mr. Howard. Sir, we have talked to other government 
agencies, not USAID. We learned the hard way in May 2006. It 
was pretty obvious to us what needed to be done. But we have 
talked to other government agencies, as other government 
agencies have talked to us, too, lots of them.
    Senator Carper. OK. Mr. Heneghan, if General Howard wanted 
to talk to you before he left today, would you give him a 
couple of minutes?
    Mr. Heneghan. Certainly.
    Senator Carper. So all right. Good. I think another issue 
that is core to complying with FISMA is the--we talked a little 
bit about this, too, but the independent evaluation conducted 
by IGs. These evaluations are crucial for a number of reasons, 
but, in part, because they allow agencies to work with their 
IGs in identifying vulnerabilities and trying to cc some of the 
weaknesses that have been uncovered.
    Having said that, I understand that not all independent 
assessments conducted by agencies are to the same standard. And 
some agencies receive the benefit of a thorough assessment of 
their IT security while other agencies frankly do not. And let 
me just ask do you feel that this is the case and, if so, 
should there be a baseline standard for--set really for all 
independent assessments?
    Ms. Swart. Yes. I think that is what a lot of us just said. 
Just to give an example. If you have one inventory system that 
you did not inventory, what should the impact be on your score 
or on the points, and that could be different agency to agency. 
Or if you are talking about awareness training, do you really 
need to train all the employees, including an employee like a 
gardener that would never access the system.
    Those are just two examples that show how the OIG looks at 
something could impact the way they evaluate system security at 
one agency versus another agency.
    But I do say it is very important to have the independent 
validation of the OIG and not just completely rely on the 
reporting of the IT, the CIOs.
    Senator Carper. Right. Anybody else want to add to that 
point?
    Mr. Howard. One activity that we have put in place, sir, 
that has proved to be very helpful is our oversight and 
compliance capability. It is very robust. We put that in place 
about a year ago. Arnie Claudio, that I introduced earlier runs 
that. Since last January, over 155 assessments--we use the word 
assessment, not inspection or investigation, because we want it 
to be a helpful activity, identify issues and problems and help 
remediate them on the spot, if necessary. That is the way we 
have designed it, and I can tell you that has been extremely 
helpful to us.
    It is also helpful not only in reporting problems, whether 
it is a rogue Internet connection, with a wire thrown out a 
window or helping to increase awareness among employees 
throughout the organization.
    Senator Carper. OK. Anybody else on this point? Yes, Mr. 
Heneghan.
    Mr. Heneghan. Actually, I think the IGs would like to have 
a standard as well. I mean, it is not----
    Senator Carper. Why do you say that?
    Mr. Heneghan [continuing]. Because they are struggling with 
the same questions we are. Do you count a gardener or not.
    Senator Carper. Gardeners or IGs?
    Mr. Heneghan. IG types.
    Senator Carper. Maybe both.
    Mr. Heneghan. So I think that they would like to know and 
do the right thing so that they could have a good measure.
    Senator Carper. Well, that is a good point.
    I realize the afternoon is drawing late, but a number of 
the big incidents that we have heard about in the past and 
there is a couple that you have alluded to several of those, 
but some of those big incidents did not stem from a foreign 
country or from a disgruntled hacker, but really from current 
employees.
    Let me just ask how do your agencies continually test and 
evaluate your employees' knowledge of IT security? How do your 
agencies hold your employees accountable, from senior managers, 
all the way down to an intern, and finally you think what you 
are doing is enough?
    Mr. Howard. Sir, training and education is very key, and, 
of course, there is a requirement for 100 percent training and 
education in security and privacy every year. We go through 
that. The other key aspect is leadership involvement. We have 
training programs focused on our leaders, what their 
responsibilities really are, because you are a former military 
person. This is a squad leader activity. If you are not looking 
at the troops and talking to them and making sure they are 
doing what they are supposed to do, you are going to have 
problems.
    Senator Carper. Yes, if the leader does not think it is 
important, nobody else will.
    Mr. Howard. Exactly right. And I am not talking about just 
at the top--all the way down, right at the job site, if you 
will.
    So the issue of training is important. And then 
disciplinary action. We have taken disciplinary action in some 
cases. It is a people issue, no question about it.
    But the other thing I would say you also have to provide 
them the tools. In the VA, we have gone to encrypted thumb 
drives, and the reason that we have done that is, our young 
doctors and young interns, they are like your kids. It is hard 
to discipline them and get them to stay focused on the 
importance of the information that they are walking around with 
this thumb drive. So we mandated the use of encrypted thumb 
drives, and they have to carry this information around to do 
their job.
    Now they can do it with some degree of comfort, because if 
they loose their thumb drive in the parking lot, it is a rock. 
I mean, it is not going to be of any value to anybody. The same 
is true with encrypted laptops--or VA laptops are encrypted 
now. If somebody steals one, they are useless. You cannot get 
into them.
    Senator Carper. All right. Are there others, on the issue 
of education? Go ahead, please. Ms. Swart.
    Ms. Swart. We are one of the providers to other agencies, 
as I mentioned, in partnership with AID. We do annual awareness 
training, so if you want to keep your logon to the system, you 
do this training. You take a test. It includes both information 
security questions and privacy questions on an annual basis.
    Senator Carper. But for your employees, they cannot logon 
to their system?
    Ms. Swart. If after a year, automatically they will be 
asked to take this online test. And if they do not take it, 
they are locked out.
    On the personal responsibility side, we do have a computer 
security incident program that does provide for penalties for 
information security type infractions or violations that is 
patterned on what we do for classified information.
    Senator Carper. OK. Mr. Ash.
    Mr. Ash. The NRC has seen a great deal of value in not just 
computer-based training, but in-person training. The last 
couple of years, the agency has used in-person training to make 
sure that employees have had the opportunity not just to hear 
what the requirements are and the expectations, but also have 
the opportunity to address their concerns and ask questions.
    It is the best opportunity in terms of just interfacing and 
direct interaction with people that know what the requirements 
are and can help educate.
    At times there can be--depending on how the computer-based 
training is set up, if you do not really test them, I mean, 
really test them, what value is it? And that is what I have 
come to appreciate about the NRC's approach--again, the in-
person training.
    Senator Carper. Mr. Heneghan.
    Mr. Heneghan. Our Tip of the Day program, again, from the 
headlines news. We will put out a tip on a Washington Post 
article that came out. Everyone gets an idea of what is going 
on; that it is an important issue.
    It is tough to know how effective training is, but I think 
we have a greater incident reporting now from individuals 
because they know of this. They are much more aware of it.
    An example I used, just last week, someone was out in the 
food court, where there was a couple of Federal agencies, doing 
a survey and asking a lot of detailed questions about how 
people remotely login. That person immediately reported it, 
because we have tips out there that say be careful of people 
asking you questions like this. And GSA escorted the person off 
the premises.
    It gives me a good feeling that our awareness program is 
effective. It has also been used by our Office of General 
Counsel, when we take action against individuals because they 
know they shouldn't be doing it, and, in fact, over the last 
year, they have answered four questions that say, yes, I am not 
supposed to do this. I know that. And our Office of General 
Counsel uses that to see people out the door, if they are prone 
to be policy violators.
    Senator Carper. All right. You may have heard I asked the 
first panel at the close of their presentations and responses, 
I asked them to give some advice to us in the Legislative 
Branch, some advice on what we should do more of or less of 
that would be constructive here. And we got a variety of ideas, 
and I think generally quite helpful ones.
    I am going to ask you all the same question in just a 
moment, but before I do, I have a question for Mr. Ash.
    I was fortunate to go with Chairman Kline, the Chairman of 
the Nuclear Regulatory Commission, up to Peach Bottom a month 
or so ago, where it had some security lapse problems, and we 
went up there to find out what happened and see what is being 
done to make sure it does not happen again. There are any of 
103 other nuclear power plants. I chair a subcommittee, on 
nuclear safety, along with Senator Voinovich of Ohio.
    But one of the things that we have learned that takes place 
within the nuclear power plant industry and within the NRC 
itself, the Nuclear Regulatory Commission, is it sounds like 
every 3 years there is a force on force exercise, where bad 
guys, who are really good guys that are trained to be bad guys, 
attempt to penetrate the IT systems or the electronic--they are 
not doing anything electronically. They use real force--and to 
go in and try to take over physically a plant, a nuclear power 
plant.
    And then they do a fair amount of debriefing and lessons 
learned and that sort of thing. But it is real to the extent 
nobody gets killed. But it is a very real exercise, and I think 
from what I hear it is actually quite informative, and you 
actually measure not process, but actually measure whether or 
not people are secure and they are ready at one of these 104 
plants to take on an assault.
    When you think of that approach to security and you look at 
our approach to security with respect to protecting our 
information, our databases and all. Can we learn a lesson from 
the force on force that we see in the nuclear power plants? Is 
there something that they are doing there that could help 
inform what we are doing to protect our other information and 
these data breaches?
    Mr. Ash. Yes. I think the easiest answer, the easiest 
lesson, is continue to test. Force on force exercise--I told 
you I joined the NRC a little over 10 months ago, and had the 
opportunity early on in my tenure to observe a force on force 
exercise out in Illinois. Absolutely amazing just to see the 
approach that they take. Again, the objective is to identify 
weaknesses and to measure how successful--obviously if the 
perpetrators can be successful, but how successful are the 
security measures that are put in place by the plant and the 
licensees and the security force.
    But going back to my original point: Continue to test--
penetration testing; social engineering testing--all 
opportunities, because those are what the bad guys are going to 
use, opportunities to send malicious e-mails, phishing 
expeditions. I mean, phishing with a ``ph''--means to try and 
get you as an employee of an agency to give up a password, give 
up sensitive information or give up access when you are not 
really aware of it. That is probably the best lesson learned 
that I think we could take from what the NRC does with the 
force-on-force type exercises.
    Senator Carper. All right. Good. Thank you.
    Mr. Ash. You are welcome.
    Senator Carper. All right. Ms. Swart, did you want to say 
something?
    Ms. Swart. The government does do these cyber storm 
exercises, which do provide those kinds of testing. There is 
one going on right now that we are participating in other 
agencies that are sponsored I believe by the Department of----
    Senator Carper. You call them cyber storms?
    Ms. Swart. Yes.
    Senator Carper. Do they have code names or anything?
    Ms. Swart. I think that is the code name.
    Senator Carper. All right. Advice for us, some in the 
Legislative Branch?
    Mr. Howard. Sir, keep the pressure on. It helps us to 
balance the issue that I mentioned before. Keep the attention 
on this important area of information protection. It is very 
helpful to us, in spite of the fact we are up here, every once 
in a while getting beaten up, it is a good thing that you keep 
the pressure in this area. It is helpful to us.
    Senator Carper. Good. Thank you. Ms. Swart, what can we do 
that might be constructive or really that would be 
constructive?
    Ms. Swart. I would second that about the visibility. Also 
just the things that we have said about improving the way we do 
the measuring through the existing process, not necessarily 
changing the law.
    Senator Carper. All right. Thank you. Mr. Ash.
    Mr. Ash. I will second that one; third that I guess. The 
other point that I guess that I would like to make is continue 
to encourage the Executive Branch and the Federal Government to 
look at and implement solutions that can help us. It is 
difficult enough for a small agency to implement trusted 
Internet connections. That is why I appreciate what OMB and the 
agencies are doing--the Desktop Configurations. Encourage that. 
Support it. That is what I would ask.
    Senator Carper. All right. Thank you. Mr. Heneghan.
    Mr. Heneghan. I would just reiterate the metrics, but also 
I think not changing the law because that would cause a whole 
other process, but actually just tweaking it a little bit would 
be the way to do it. And get more metrics out there that we can 
compare each other against and everyone will start to feel 
comfortable that it is a good measurement process.
    Senator Carper. OK. Mr. Bennett, in his testimony, in his 
written testimony, listed a number of recommendations for our 
consideration. And I do not know if you all have had a chance 
to look at those recommendations. I am not going to ask you to 
comment on them today here at the hearing, as we draw to a 
close. But one of the things that I am going to ask you in 
writing as a follow up is just to share your comments on the 
recommendations. Which do you like? Which do you think maybe do 
not meet muster, and which would you tweak a little bit and 
maybe they would meet muster?
    If you all could help us with that, I would appreciate it.
    Again, other Members of our Subcommittee I suspect Dr. 
Coburn and I know-- I started to say Dr. Coleman--but Mayor 
Coleman, Senator Coleman, I am sure they have some questions to 
provide in writing. My guess is that some other Members of our 
Subcommittee will, too. And we would appreciate if you would 
respond to those as fully and as promptly as you can.
    I am just very grateful on behalf of all of us, not just on 
the Subcommittee, not just on our Committee, not just the 
Senate, but the work that you are doing is real important, and 
you know that. And I understood that coming into this hearing, 
but I am certainly reminded of it even more so today--important 
for our country, important for our national security, important 
for our financial security--just important for a lot of peace 
of mind for people. So those of you who are getting A-pluses 
and those that are on your way to getting those A-pluses, stay 
on that glide slope and we will breathe a little bit easier in 
the future.
    With that having been said, this Subcommittee is adjourned, 
and we wish you a good evening. Thank you.
    [Whereupon, at 4:55 p.m., the Subcommittee was adjourned.]
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